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Kudos on the Redesign 

| received my copy of the March 2006 issue of LJ, 
and | was surprised to see the graphic design. | think 
the new design is awesome. Thanks for your work. 


Stefano 


Thank our artist extraordinaire, Garrick Antikajian, 
for the spectacular new design!—Ed. 


Separation of Church and Ads 

I'm not so sure | like the new look for LJ. It's 
difficult to tell where the ads end and the articles 
begin. | feel that it acts as a distraction to the 
reader and hides valuable information among the 
noise of advertising. 


William W. Atkinson 


Blackjack in Fewer Draws 

| just read the “Writing a Shell Game” by Dave 
Taylor in the March 2006 issue of Linux Journal, 
and the technique he used for shuffling cards 
seems somewhat inefficient and incorrect. Taylor is 
randomly selecting cards from a fixed array. A far 
better algorithm would be a swap-based shuffle, 
where you walk along the deck, swapping each 
card with a randomly chosen other card. The code 
to implement this is shorter than Taylor’s “choose 
until bored, then scoop up the rest” method. In 
bash, you could do it with: 


# Shuffle the deck 

j7=52 

while [ $i -gt 0 ]; do 
swap_i=$(( ( $RANDOM % $i ) + 1 )) 
swap=${deck[$swap_i]} 
deck [$swap_i]=${deck[$i]} 
deck[$i]=$swap 
i=$(( $i - 1 )) 

done 


No need for creating a second deck from a first—this 
shuffles in-place. Still, I’d like to thank Dave for the 
article, because although | know I've encountered 
bash arrays before, somehow | just could never get 
the hang of the syntax. His article spells it out in an 
understandable and useful way. 


Steve Fink 


Dave Taylor replies: Hey! That’s some cool code 
you've written there, Steve. Thanks for sharing It. 
In terms of whether my algorithm was optimal, 
well, um, err, I’ve been too busy figuring out 
whether we were going to implement Atlantic 
City or Vegas rules to worry about how well 

the shuffle worked. 


Substantiate Your 

Dislikes about GNOME 

I'm a KDE refugee and much prefer GNOME, so | 
was surprised at the depth of [Nicholas Petreley’s] 
dislike [see the March 2006 etc/rant column]. It'd be 
nice to know what objective standards he’s measur- 
ing GNOME against. I’m not suggesting that GNOME 
is “the best”—for example, | too dislike Nautilus and 
usually install another file manager. 


Sonia Hamilton 


| will be more specific in a future rant. In the mean- 
time, as far as what a user sees, GNOME is a window 
manager, panels and file manager. The minimalistic 
window manager, Metacity, doesn’t have much to do 
with GNOME. The panels get more minimalistic with 
each release. The only substantial component of 
GNOME is Nautilus, and you replace it. What does 
that tell you?—Ed. 


What a GNOME Needs 

| think the lesson to be learned from both open-source 
and commercial software is that everyone has different 
needs. [GNOME should come up with a method] that 
would allow people to choose just what level of fea- 
tures are available to users, what the defaults are and 
so on. As distro makers get a better sense of the vary- 
ing classes of users, they can continue to fine-tune 
their policies without having to be full GUI developers. 
And as users themselves grow, they can be given the 
option of moving to a more advanced GUI policy. This 
would be an elegant way of satisfying everyone's 
needs. And it keeps in line with what | think of as real 
choice in the traditional UNIX sense. 


Danny 


GNOME Does Not Offer Choice 

The only real complaint | have against GNOME is that 
it doesn’t support no-auto-raise-on-focus. You Google 
it, and you find letters that are six or seven years old 
asking when it will be available in GNOME, with the 
GNOME developers pretty much ignoring the request 
or saying, “never”. So to the people who say that 
GNOME offers choice, ask them why you can't 
choose to have the focus in a window that is partially 
occluded? If you get the Microsoftian response of 
“Why would you want that?”, then you have demon- 
strated that they really don't care about choice. And 
here | find myself at the end of the letter, apparently 
disagreeing with Nick! Choice does matter, and 
GNOME bites precisely because it fails to offer it. 


My sentiments exactly. As per the previous letter, I’d like 
to see a desktop that “just works” but makes it easy to 
customize it to the Nth degree if | so choose.—Ed. 
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In Defense of GNOME 

On the defensive, GNOME has the ability to do 
everything | need/want. It's a simple and elegant 
design, which means | don’t need to customize it 
and rip out applications to slim it down. For me, at 
least, it is very intuitive when | need to make a 
change or add something to it. The biggest priority 
for me is system resources; it is not uncommon for 
my computer to be pushing the max limit because 
of the magnitude of the programs | run. 


Chris Stackpole 


You make a good point about GNOME using 
fewer resources than KDE. However, when | really 
want to minimize the resources used by a desktop, 
| run IceWM or Fluxbox. To each his own.—Ed. 


Make Innovation Not Duplication 
[There is] a real challenge to those who design user 
interfaces for Linux. In order for Linux truly to 
eclipse Microsoft on the desktop, it is not enough 
to be “as good as Windows”. It has to set a new 
paradigm, one in which productivity surpasses 
anything possible with Windows. 
To paraphrase your comments [see etc/rant, 
arch 2006]: choice is nice, but it’s not an end in 
itself. If you have only crap to choose from, then 
choice means nothing. We don’t need to have a 
choice among user interfaces that are basically pat- 
erned after what Microsoft has established. We 
need to be able to choose a better way of doing 
hings with a computer in general. We need a bet- 
er paradigm of user interface. We need something 
hat really emulates the way we think as humans, 
and not how Microsoft believes we should think. 


Ken Peterson 


Make Raves Not Rants 

I've been a subscriber for five years or so. If the 
badgering rants of Petreley continue, I’m canceling. 
In fact, | don’t want to read any rants. | like raves. 


John Elliott 


We print raves. See the raves about the rant 
column, for example.—Ed. 


KOffice Live Links 

I'm a happy reader of LJ next to also being a core 
programmer of KWord and several of the other 
KOffice components. As your article went over a 
core feature [see the February 2006 etc/rant col- 
umn], and you apparently missed some aspects of 
it, | would like to invite you to do a more thorough 
review of the capabilities of KOffice. In direct refer- 
ence to your article, | can inform you that in 
KOffice the OLE kind of embedding is actually 
done quite innovatively (since 1999 already), and 
much like you have witnessed in ElOffice, there is a 
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way to keep the embedded document external so 
that the chart and spreadsheet data is updated 
whenever the external document is edited. 


Thomas Zander 


| couldn't find the way to do what you described. 
It obviously isn’t as simple as the ElOffice method, 
which is simply “copy” and then “paste link”. —Ed. 


Boobies out of Place 

| found the cartoon with reference to “boobies” 
out of place in a professional magazine. It was 
hard for me to enjoy reading the March 2006 issue 
of Linux Journal. My mind kept wandering to such 
places as pondering if my coworkers were thinking 
about my “boobies” while | was trying to convey 
sophisticated technical material, perhaps in 
defense of our Linux operating systems. 


Linda Hedges 


Why Isn't etc/rant LSB-Compliant? 
Wouldn't it be more appropriate to call your column 
“var/rant” rather than “etc/rant”? Given the context 
of the column, it’s not implied that one should take 
the content as fact, but rather coincidental output 
based on certain circumstances. Just a thought... 


Ken Peterson 


You're probably right, but you gave it much more 
thought than | did.—Ed. 


Skype Hype 

In the January 2006 issue of Linux Journal, (Home 
Projects) there was an article regarding using a Linux- 
based Skype Server for your home telephone service 
[see Andrew Sheppard's “Build a Linux-Based Skype 
Server for Your Home Phone System]. | set up the 
server using Fedora Core 3, following the article 
every step, until | completed installing SkypeMate. 
Long story short, it didn’t work. Please help. 


Jimmy 


Andrew Sheppard replies: Linux is, sadly, the poor 
cousin of Windows in terms of hardware driver sup- 
port. However, there’s an open-source project for 
Linux to provide independent drivers and support 
for the Yealink B2K USB/PSTN phone adapter. Here 
are the links: savannah.nongnu.org/projects/ 
usbb2k-api and memeteau.free.fr/usbb2k. 


The default mode may be different depending 
on what version of the B2K adapter you have, 
and who re-badged it (they all come from the 
Yealink factory, as far as | can tell). In my case, 
leaving the PSTN line unplugged will leave the 
adapter in USB mode by default. 
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WHAT’S NEW 
IN KERNEL 
DEVELOPMENT ame functionality. Adrian Bunk 


e The Raw Driver, used to gain 
1 = U direct access to unbuffered I/O on 


block devices, has been deprecat- 
ed for a long time, now that the 
open() system call supports the 
O_DIRECT option to provide the 


has been orchestrating the depre- 
cation and removal process, only to hit a snag at 
the final moment. As is usually the case with 
unwanted user-facing kernel features, simply 
removing them tends to present a dilemma: 
either users must find an alternative to that fea- 
ture, or they must no longer upgrade their ker- 
nel. Such situations usually result in the feature 
remaining in the kernel while a grass-roots effort 
is made to clean up user space. In the current 
case with the Raw Driver, it turns out that many 
users still depend upon it, although a lot of them 
are making efforts to migrate to O_DIRECT as 
quickly as possible. But with such widespread 
use, it’s also likely the Raw Driver will have to be 
kept in the kernel for a long time to come. 

Adrian also has been continuing his work to 
remove all OSS sound drivers from the kernel, 
but it is slow going. There are still approximately 
50 OSS drivers to deal with. Some are for hard- 
ware that is fully supported by ALSA, and so 
those can be removed safely. Others have incom- 
plete or broken ALSA equivalents that need to be 
fixed, and some have no ALSA versions at all. 
Adrian has been very diligent over a long period 
of time, tracking down driver authors and bugs, 
working with users to identify missing ALSA fea- 
tures and making sure that only truly obsolete 
OSS drivers are removed and not any that actually 
are still needed. 

An old ATI RADEON framebuffer driver, 
not updated since 2002 and long since obviated 
by a newer driver, has been patched out of the 
kernel by Michael Hanselmann. Although the 
old driver has been marked as old for a long 
time, the replacement is not perfect either. In par- 
ticular, David S. Miller has pointed out a bug in 
the screen blanking routing that can confuse the 
X Window System under some conditions. But 
even David favors Michael's patch, as do other 


USER FRIENDLY by J.D. “Iiliad™ Frazer 


OKAY. NOW CHANGE 
THE PERMISSIONS 
ON THAT DIRECTORY... 


HEY GUYS? 


fu 
COPYRIGHT © 2008 J.D. “Hilind” Frazer MTTP:/ /WWW.USERFRIENDAY.ORG/ 
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WHAT DOES IT LOOK 
LIKE? WHAT DO YOU 
MEAN. “WHAT DOES IT 
LOOK LIKE?” 


UM...DO FILES ON 
A VIRTUAL SYSTEM 
ACTUALLY CONTAIN . 

DATA? 


big-time kernel hackers like Benjamin 
Herrenschmidt, so it does seem as though the 
old driver will be removed before too long. 
However, Andrew Morton also has said that if 
possible, he would “prefer to avoid any userland 
breakage” when removing the older driver. 

Jeff Garzik has published the hardware spec- 
ifications of two previously closed SATA controller 
chips, Silicon Image’s 3114 and 3124 chipsets. 
Silicon Image graciously gave Jeff permission to 
publish these docs, presumably after much pri- 
vate discussion. This new documentation also 
may encourage support for NCQ (Native 
Command Queuing), used in high-performance 
data transfer. This kind of openness must be 
appreciated in a hardware company. It’s impor- 
tant to remember that a lot of hardware remains 
completely undocumented to the free software 
community, requiring much effort in reverse engi- 
neering or else the abandonment of support for a 
given product entirely. 

Although Wim Van Sebroeck has been 
maintaining the Watchdog drivers for a while 
now, he has just agreed to add himself to the 
MAINTAINERS file. Kumar Gala recently asked 
on the kernel mailing list about tracking down 
the Watchdog maintainer, and Arnd Bergmann 
was the one to suggest that Wim add himself to 
the file. 

Kernel configuration is always under scrutiny 
for ways to simplify and clarify the myriad avail- 
able options. Recently, Randy Dunlap hit on the 
idea of migrating SATA configuration out of the 
SCSI area entirely. SATA does depend on SCSI to 
provide a function library, but that library could 
be implemented anywhere, without being tied to 
SCSI. As Randy reasoned it, there was no reason 
for users to have to understand this esoteric rela- 
tionship between Serial ATA and SCSI. And 
apparently, although Randy himself is not yet 
interested in seeing this change accepted into the 
kernel, the idea seems to have general support 
among kernel developers, and it probably would 
be accepted if Randy submitted a version that 
satisfied him. 


—Zack Brown 


LINUX JOURMAL EDITION 
OF COURSE THEY CONTAIN 
REAL DATA! WHY WOULDN‘T 
THEY?! 


CUZ... THEYRE “VIRTUAL 
FILES” WHICH MEANS 
THEY AREN'T REAL? 


LINUX 

CONSULTANTS 
SURVEY 

For the past six months 

or so, Ken Hess has been 
conducting an on-line Linux 
Consultants Survey to gather 
consultants’ opinions on 
Linux, both its current state 
and its future. Now, he's shar- 
ing the results of that survey 
with linuxjournal.com readers 
(www.linuxjournal.com/ 
article/8873). Based on 
their customers’ experiences, 
find out what Linux pros are 
saying about Linux in the 
data center, as a server and 
on the desktop. 


MAKING VOTING 
SAFE AGAIN WITH 
OPEN SOURCE 

It seems as though every 
branch of government spends 
countless hours and money 
on its voting system—collect- 
ing ballots, counting ballots, 
recounting, recounting and 
recounting—and we the peo- 
ple still can’t trust the results. 
Clearly, closed and proprietary 
systems aren't working, so 
why not extend democracy to 
the voting system itself and 
make it open source? In “The 
Politics of Honest Voting” 
(www.linuxjournal.com/ 
article/8872), L/ Publisher 
Phil Hughes outlines what an 
open-source voting system 
might look like. Share your 
thoughts on the matter, and 
get involved with turning the 
current system on its head. 


DOC’S BLOG 

Senior Editor Doc Searls is blog- 
ging now on linuxjournal.com, 
bringing breaking news 
and commentary on Linux 
business, trends and evolu- 
tion. Bookmark this page 
www.linuxjournal.com/ 
blog/800285 to go straight 
to his blog, or sign up for 
he LJ.com RSS feed at 
www.linuxjournal.com/ 
xstatic/aboutus/rss_page 
0 be notified when a new 
entry is posted. 


Linux laptops. Supported. 
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Pre-configured Linux installation. 
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‘ Since 1999, EmperorLinux has provided pre-installed Linux laptop solutions to universities, corporations, and 


individual Linux enthusiasts. We specialize in the installation of the Linux operating system on a wide range of the 
finest laptops and notebooks made by IBM, Lenovo, Dell, Sharp, Sony, and Panasonic. We offer a range of the 
latest Linux distributions, as well as Windows dual boot options. We customize each Linux distribution to the 
particular machine it will run upon and provide support for: ethernet, wireless, EVDO mobile broadband, PCMCIA, 
USB, FireWire, X-server, CD/DVD/CDRW, sound, power management, and more. All our systems come with one year 
of Linux technical support by both phone and email, and full manufacturers’ warranties apply. 


4 Visit www.EmperorLinux.com or call 1-888-651-6686 for details. 


GETenHESERVER THATEIAKES, 8 
YOUR > AS | SERIOUSLY » 


AS YOU DO. 


Intel® Xeon® Processors powering 

Ciara VXPRO™ server provide the quality 
and dependability to keep up with your 
growing business. 


3 Good Reasons to Buy from Ciara Technology 


Customizes Servers, Blade & Storage: 
Get the technology that’s right for your 
business and not right for your supplier. With a 


capability to manufacture over 2500 systems a 
day, Ciara is suited to accomodate any 
customer requirement. Our record growth 
enabled us in February 2003 to inaugurate an 
all-new, ultra-modern manufacturing plant of 
576.000 saf. Our systems are build under the 
ISO 9001-2000 certification. 


Incorporated in 1984, Ciara Technology 

is a world-class provider of computer 
systems including desktop, laptop, 

servers, storage, supercomputer clusters as 


well as other software and integration servic- 


es. All our systems are serviced by Ciara 
highly trained and certified technicians and 
system engineers. We are an accountable 
supplier - One single point of contact for all 
your technoloy needs. 


For all your computer needs visit us at 


ciara-tech.com 


1-866-789-7225 


Ciara have a strong working relationship with 
Intel, so we have access to information and 
support that give us — and you — significant 
advantages in deploying and managing your 
systems and applications. The result is a 
more flexible solution that meets your current 
needs, while enabling easy expansion to 
accommodate emerging technologies and 
new business growth. 


pce abear bce bly eaiealnhnghilwcedprtens carhald Yao renidalay separable Xeon, intot 
trademarks of intel or its subsiciaries in the United States and other countries. (1) important 
Change without notice. Ciara cannot be rasponsitie for typography errors, photographies errors, 


VXPRO-R7230NH 
Affordable Starter Server 
Ultra Addfordable, 


Easy to Service 

Base Configuration 

Intel® Pentium® D Processor 920 
(2.8GHz Dual Core Processor) 
800MHz Front Side Bus 

2x2MB L2 Cache 


1GB (2x512MB) ECC DDR2 533 Memory 
(Expandable to 8GB) 


One 80GB (7,200RPM) SATA150 HDD 
(Up to 4 Hot Swap Hard Drives) 


Floppy and CD-ROM included 


1U Rackmout 
3 Years Warranty Retum to Ciara 


Additional 80GB 
Additional 1GB (2 x 512MB) ECC DDR2533 


VXPRO-R7520BB2 
Low Voltage - 4 Cores Server 


Extremely Powerful 
Ultra Low Power Consumption 
Mid Server Configuration 


Intel® Xeon® LV Processor 

2.0GHz Dual Core Processor) 
7MHz Front Side Bus 

2MB of Shared L2 Cache 


2GB (2x1GB) ECC/Reg DDR2 400 Memory 
(Expandable to 16GB) 


One 80GB (7,200RPM) SATA150 HDD 
(Up to 4 Hot Swap Hard Drives) 


Floppy and CD-ROM included 


1U Rackmout 
3 Years Warranty Return to Ciara 


Additional 80GB (7,200RPM) SATA150 Add $72 
Additional 2GB (2 x 1GB) ECC/Reg DDR2 400 Add $299 


ftaniumn, Pentium, and Pentium ill Xeon aro tadomartes or registored 
Promotional offers are subject to 


, Specifications and 
. Pricing errors. All pricing in US dollar. ‘SHipping and applicable taxes are not included. 
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LJ Index, May 2006 They Saicl It 


1. Smallest number of Weblogs that mention “open source” per day: 500 Great things are not done by impulse, but 
by a series of small things brought together. 
2. Largest number of Weblogs that mention “open source” per day: 1,050 —George Eliot or Vincent van Gogh, on Google 
(many quote sites on the Web are split between 
3. Smallest number of Weblogs that mention “linux” per day: 1,250 the two) 


4. Largest number of Weblogs that mention “linux” per day: 2,600 All large systems that work start as small 
systems that work. 
5. Percentage of smartphones shipped with Linux in Q1 2004: 3.4 —Stowe Boyd 


6. Percentage of smartphones shipped with Linux in Q1 2005: 13.7 UNIX is basically a simple operating system, 
but you have to be a genius to understand 
7. Percentage increase of smartphones shipped with Linux between Q1s the simplicity. 

2004 and 2005: 412 —Dennis M. Ritchie, www.brainyquote.com/ 
quotes/authors/d/dennis_ritchie.html 


8. Current Linux percentage share of advanced mobile OSes: 17 
Software wants to become worthless 
9. Projected Linux percentage share of advanced mobile OSes by 2009: 29 without skilled attention. 

—Don Marti (in a conversation) 


10. Billions of mobile phone subscribers worldwide by late 2005: 2 
Skill without imagination is craftsmanship 
11. Number of top 500 supercomputers that run on Linux: 360 and gives us many useful objects such as 
wickerwork picnic baskets. Imagination 
12. Percentage of top 500 supercomputers that run on Linux: 72 without skill gives us modern art. 

—Tom Stoppard, jon.linuxworld.com 


13. Number of top 500 supercomputers that run on Linux distros: 30 
When you ask a question about an open- 
14. Percentage of top 500 supercomputers that run on Linux distros: 6 source product, ask the community, not one 
specific person. When you ask for one per- 
15. Total number of Linux-based supercomputers in the top 500: 390 son to answer the question, then other peo- 
ple who may know the answer, might not 
16. Percentage of Linux-based supercomputers in the top 500: 78 help (in fact they almost never will, assum- 
ing you had some reason to want to know 
17. Number of Linux-based supercomputers in the top 10: 5 the answer from this one specific person). 
I've been doing this for many years. People 
18. Position of the CNK/Linux-based IBM BlueGene/L in the top 500: 1 almost never want to hear this, so | usually 
just ignore the questions, even if they have 
19. Growth rate in size of the CNK/Linux-based IBM BlueGene/L in the easy answers, because | want a community 
last year: 2 to develop, one where people help each 
other. That's the only way it can grow. And | 
20. Top Linpack performance of the BlueGene/L, in teraflops: 280.6 want that kind of growth even more than | 
want you to get over this particular hurdle. 
On the other hand, if you see a newbie 
1-4: Technorati (during the month of January 2006; numbers rounded to ask a question of someone specific, and you 
nearest 50) | 5-7: Gartner, via Linux Devices | 8, 9: TDG, via Linux Devices | 11-20: Top know the answer, and you are not the per- 
500 Supercomputer Sites (t500.org) son he or she asked, go ahead and answer 
—Doc Searls it. Assume the person just wants the 
answer, not really from anyone in particular. 
If they complain that your name isn’t Linus 
or Brian or Alice, you can tell them that's 
true, but the answer is still the right one. 
—Dave Winer, www.scripting.com/2006/01/ 
14.html#When:8:18:54PM 
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Thinkmate server and workstation 
products offer more contigurations, 
and more customizable options 


than any other system builder. 


Xeon 
inside” 


Thinkmate 1U Server, 2x Serial-ATA or SCSI drives with Intel® Xeon® Processors 


Dozens of customizable 
systems online, unlimited 
possibilities by phone. 


> Rackmount Servers 

> High-Performance Servers 
> Storage Servers 

> Pedestal Servers 

> Silent Workstations 

> Blade Servers 

> Clustering 

> Notebooks 


Operating System Options: 

Thinkmate systems are available with either No 
OS, or pre-loaded with Linux or Microsoft 
Windows operating systems. Thinkmate also 
offers dual-boot and virtualization options. 


| 100% True Hartiware Customization: 


Thinkmate is an innovative provider of an exten- 
sive variety of computer solutions. We completely 
customize all of our machines to match your indi- 
vidual needs. Our online quoting and ordering 
system has more customizable options than any 
other system builder on the web. If you can't find 
exactly what you need on our site, then give us a 
call and we would be more than happy to help you 
find it! 


Service: 

Thinkmate takes customer service to a new level. 
All of our systems have a minimum of a 3-year 
advanced replacement warranty and offer up to a 
3-year next business day onsite warranty through 
IBM Global Services. We understand mission 
critical situations and provide superior services to 
keep all of our customers satisfied. 


GSA Scheduling: PAN Schedul 
We offer rapid GSA scheduling a 2cnedule 
for custom configurations. If you have a specific 
hardware requirement, we can have your configu- 
ration posted on the GSA schedule within 24 


“On 371-12 


’ weeks. 
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Have Fon 


In early February 2006, the Spain-based 
company FON (en.fon.com) was three- 
months old and had just 3,000 “Foneros” 
when founder Martin Varsavsky announced a 
$21.7 million investment from Skype, Google 
and Sequoia Capital. 

If all those companies have their way, 
everybody in a position to use or deploy 
Wi-Fi Net connections will be a breed of 
“Fonero”. Varavsky explains, “To us, the 
world is divided into Linus, Bills and Aliens. 
A Linus shares his/her bandwidth for free 


with other Foneros, Bills share their band- 
width for a small fee, and Aliens don’t share 
their bandwidth at all.” Because Aliens are 
those creatures called customers. 

And those needn't be just geeks like 
the readers of Linux Journal. Ethan 
Zuckerman, in his blog My Heart's in Accra 
(www.ethanzuckerman.com/blog/?p=363), 
explains why he’s both a Fonero and on the 
company's advisory board: 


There’s a philosophical bias to many of 
these projects—a belief that Internet 
access is an inalienable right and 


should be free—that | find charming, 
but totally impractical for the parts of 
the world I'm most concerned about. 


In Africa, bandwidth isn't cheap. Entire 
universities run on less bandwidth than | 
have coming into my house on a DSL line. 
Being altruistic and leaving your wireless 
access point open in Africa is pretty much 
a guarantee that you're going to end up 
with other users abusing the limited band- 
width you have. It's important that African 
users have the opportunity to share their 
bandwidth in a way that allows for 
“bandwidth shaping”—sharing some 
bandwidth with other users and retaining 
the rest for your own needs—and billing, 
so other users can share the cost with 
you. FON's current software isn’t opti- 
mized for this situation yet, but it’s close, 
and FON is engaged with the issues in a 
serious and sustained way. | predict that 
FON is something I'll be able to pitch 
enthusiastically to African friends in the 
very near future. 


S 


To run FON, download software based on 
Sebastian Gostchall’s DD-WRT open-source pro- 
ject (www.dd-wrt.org). And, you run it ona 
FON-compatible router. Right now, that’s a 
Linksys WRT54G/GS/GL (versions 1x to 4x), 
which are the ones with Linux inside. The first 
3,000 are being sold far below cost. Those may 
be gone by the time you read this, but the com- 
pany is sure to make it as easy as possible to 
become a Linus, if not a Bill. 


—Doc Searls 


Invention Is the Mother of Necessity 


Krugle is a new search engine just for source code and 
other technical stuff. Ken Krugler, company founder and 


CTO, puts the appeal in simple terms, “Krugle is a search 


krugle 


engine for programmers.” 
| was at a conference in San José when Krugle CEO 


Steve Larsen showed the beta version of Krugle to Bill 

Weinberg, an old friend who now works as an Open 

Software Architecture Specialist at OSDL. “| have to have 

this”, Bill said. Then, when Steve Larsen continued with the 

demo, Bill added, “No, you don’t understand. | need this.” 
See if it hits you the same way. Check it out 

at krugle.com. 
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—Doc Searls 


The 
Inevitable, 
Eventual, 


Free Linux 
Desk/Laptop 


Will Linux reach mainstream desktops and 
laptops without a major vendor making the 
push? Several vendors have recently stepped 
up to answer that question. 

At CES in January 2006, Google 
cofounder Larry Page made a public 
show of his company’s support (sans 
details) for MIT’s $100 laptop, designed 
to “revolutionize how we educate the 
world’s children”. 

At the end of January, Red Hat 
announced support for the project as 
well. At the time of this writing, the com- 
pany is working on adapting Fedora and 
plans to make the project an open and 
public one. The company also signed on 
as a platinum supporter of the Desktop 
Linux Summit, an event Linspire launched 
three years ago and still runs. 

The New York Times also reported that 
Nicolas Negroponte, who is running the 
$100 laptop project, is close to lining up 
$700 million from seven countries—China, 
India, Brazil, Argentina, Thailand, Egypt and 
Nigeria—interested in buying 7 million of 
the units. A Taiwanese manufacturer was 
also reportedly lined up. 

Meanwhile, Nat Friedman showed off 
Novell's Linux Desktop 10 in Paris. He 
played videos and MP3 music files (with 
Banshee, Novell's own player, using 
licensed patents), downloaded pictures 
from a digital camera and exchanged 
photos with an iPod. He also showed off 
XGL, an open-source graphics subsystem. 
Right now, it’s on track to be available by 
the time you read this. 

And, of course, the noncommercial 
open-source projects—GNOME, KDE, 
freedesktop.org (freedesktop.org) and 
so on—continue to move forward. 


—Doc Searls 


iSCSI that makes your IP SAN 
a whole lot richer... 


< " 


SBE's feature-rich iSCSI software solutions deliver 
enterprise-level reliability at affordable price points... 


Highly scalable & fully standards compliant iSCSI Target and Initiator protocol stacks. 
Early iSCSI deployments did not offer the high-quality transport and fault tolerance needed 
by enterprise storage managers. However, SBE’s PyX iSCSI solutions were among the industry's 
first to provide the full error recovery features required by enterprise storage managers, 
namely Error Recovery Level 2 (ERL2). Providing broad Linux OS support, SBE's iSCSI protocol 
stack enables robust, cost-effective IP-based storage transport solutions delivering fault- 
tolerant, high availability networks with a rich mix of advanced feature sets, including: 

>> Proven performance from Wi-Fi to 10G with unlimited port count 

>> Aggregation of all available bandwidth across subnets and ports 

>> Multi-pathing 1/0 functionality for maximum redundancy and reliability 

>> Performance as fast as your underlying hardware can go 

>> Storage media and transport independent architecture 

>> Full interoperability with all compliant iSCSI initiators 


b 
S e flexibility on demand | 925-355-2000 | info@sbei.com | www.sbei.com 
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Google Web Services 


With a little SOAP, cleanliness is next to Googliness. 


For the past few months, we've been looking at a number of 
Web services offered by Amazon, allowing us to search through 
its catalog with relative ease. Amazon decided several years ago 
to make its Web services largely free, on the assumption that this 
would raise the number of people eventually buying from its Web 
site. And indeed, a large number of developers now use Amazon 
Web services to create everything from custom bookstores to 
programs that can help with bookstore management. 

Amazon isn’t the only commercial Web site that has 
opened up its catalog to the outside world. Google, another 
900-pound Internet gorilla, also released its Web APIs several 
years ago. These APIs make it possible to search through 
Google's extensive catalog of Web content. It’s impossible to 
know whether this catalog is the largest in the world, but from 
my perspective, that’s somewhat irrelevant. Google's catalog is 
large enough, and is updated frequently enough, for me to 
rely on it as my primary search engine most of the time. 

Google has made a number of different APIs available over 
the last few years. This month, we look at the simplest of them, 
for performing basic searches of the Web archive. We examine 
how Google uses WSDL (Web service description language) to 
advertise its Web services and how we can make SOAP calls to 
search through Google's extensive library for our own purposes. 


Getting Started 

If you have worked with Amazon Web services, getting started 
with Google's APls will not surprise you a great deal. To begin, 
both companies require that you register to use their services. 
Registration is free in both cases and provides you with an 
identification key that is placed in every request to the server. 

To obtain a Google key, you first need to register for a 
Google account. Now, I’ve had a “Google account” for some 
time, for use with services such as Gmail and its personalized 
news page. However, it seems the APIs are linked to a different 
set of accounts. The fact that | had to register and log in to the 
API system, even after initially logging in to my “main” Google 
account, struck me as a bit odd. 

That said, creating an account is simple and straightforward. 
Go to the main Google API page (www.google.com/apis), 
click on create a Google account, and fill out the form. 
Soon after submitting the HTML form, you will receive e-mail 
from Google confirming the creation of your account and 
containing your Google key, along with a URL to visit in order 
to confirm the account's creation. After confirming the creation 
of your account, you're ready to move forward with the use 
of your Google key, creating programs that take advantage of 
Google's Web services. 

Before we do that though, we should consider the restric- 
tions that Google places on the service and the data we 
retrieve through it. Amazon allows participants to make only 
one API call per second, which means a maximum of 86,400 
calls in a given 24-hour period. Google, by contrast, allows 
users to make only 1,000 calls in a given 24-hour period. 

Moreover, the way in which these maximums are defined 
indicates the way in which violations will be handled. Google 
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will return an error message if you have made more than 
1,000 queries in the previous 24 hours, whereas Amazon will 
complain only if a query comes within one second of a previ- 
ous query. Neither service keeps track of these numbers before 
returning an error message, but it is obviously easier to recover 
from violating Amazon’s restrictions (by sleeping for one sec- 
ond and retrying) than Google's (as the program might need to 
sleep for up to 24 hours before retrying). 

There are a number of legal differences between the two sites’ 
services. Amazon pioneered the idea of affiliate vendors on the 
Web, encouraging people to create commercial services around its 
database. By contrast, Google explicitly states that users are for- 
bidden from creating a commercial service around its search 
results. (If you are interested in creating a commercial service 
based around Internet search data, consider looking at Amazon's 
Alexa Web search platform service, which doesn’t have these 
restrictions. At the same time, it'll cost you 25 cents for every 
1,000 requests, which can add up quickly for a popular site.) 

Finally, there are some technical differences between the 
two sites. Amazon's APIs work via both SOAP and REST, allow- 
ing developers to choose between these two formats. Google, 
by contrast, provides only a SOAP interface to its search 
engine. So, in order to create our search system, we need to 
install and use a SOAP client library. Fortunately, most lan- 
guages have high-level libraries that allow for SOAP calls. 


SOAP::Lite 

SOAP, formerly the Simple Object Access Protocol, but now an 
acronym that officially doesn't stand for anything, provides a 
relatively easy method for sending an XML-encapsulated query 
to a server. The server then responds with an XML-encoded 
response. Over the years, SOAP has strayed far from its simple 
roots. Although SOAP is still easier to understand, implement 
and work with than some more complicated protocols (such 
as CORBA), it is more difficult than most people would like to 
admit. If | can get away with it, | personally prefer to use 
XML-RPC for Web services. Although XML-RPC doesn’t offer 
all of the features of SOAP. it is far easier to work with. 

That said, Google requires that we use SOAP, and with 
many good SOAP client libraries available nowadays, we should 
not be afraid to work with it. Perl programmers have a particu- 
larly strong implementation, known as SOAP::Lite, at their dis- 
posal. For the programming examples in this article, we use Perl 
and SOAP::Lite. Note that the Lite part of the module name 
describes the ease with which programmers can implement 
Web services, not a stripped-down version of SOAP. You can 
install the latest version of SOAP::Lite from CPAN by typing: 


perl -MCPAN -e ‘install SOAP::Lite’ 


The SOAP::Lite installation will ask you to indicate which 
tests, if any, you want to perform before installing the module. 
| normally accept the defaults, but you might want to add to 
or remove from these depending on your needs. 

With SOAP::Lite installed, it’s time to write a program that 
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queries Google. But to do that, we need to know the URL of the 
service, as well as the method that we will be invoking on 

Google's computer, along with the names and types of any param- 
eters we want to send. We could specify these by hand, but that 
would mean a lot of work on our part. Moreover, Google currently 
expects SOAP requests to be pointed at api.google.com/search/ 
beta2. If Google ever decides to change that URL without warn- 
ing, many people might be surprised and upset. 

Luckily, Google has provided a WSDL file, describing the 
services offered via Google's APIs, as well as the request and 
response parameters the system accepts. It also describes the 
endpoint for queries, allowing Google (in theory) to make 
changes to the service without notifying developers in 
advance. Of course, this assumes that the WSDL file itself will 
remain in the same location. It also assumes that the names of 
the services will not change, and that each of them is docu- 
mented somewhere, because the choice of which method to 
invoke still requires human intervention. 

WSDL is written in XML, and it is fairly easy to understand, 
once you realize that it's describing nothing more than the var- 
ious Web services available on a particular server, including the 
number, names and types of inputs. Thus, the WSDL entry for 
doGoogleSearch, which performs the basic Google search of 
Web content, is defined as follows: 


<message name="doGoogleSearch”> 
<part name="key” type="xsd:string”/> 


<part name="q” type="xsd:string”/> 
<part name="start” type="xsd: int”/> 
<part name="maxResults” type="xsd: int”/> 
<part name="filter” type="xsd:boolean”/> 
<part name="restrict” type="xsd:string”/> 
<part name="safeSearch” type="xsd:boolean”/> 
<part name="1r” type="xsd:string”/> 
<part name="ie” type="xsd:string”/> 
<part name="o0e” type="xsd:string”/> 
</message> 


To use WSDL from within a Perl program using SOAP::Lite, 
we invoke SOAP::Lite->service with the WSDL file’s URL. If the 
file resides on the local filesystem, make sure that the URL 
begins with file:. For example: 


my $google_wsdl = “http://api.google.com/GoogleSearch.wsdl”; 
my $query = SOAP::Lite->service($google_wsdl); 


SOAP::Lite is then smart enough to look through the 
WSDL and make all of the advertised methods dynamically 
available, such that we can do the following: 


my $results = 
$query ->doGoogleSearch($google_key, 
$query_string, 
$starting_page, 
$max_results, 
$filter, 
$geographic_restriction, 
$safe_search, 
$language restriction, ‘utf-8’, ‘utf-8’); 


Do you see what happened here? There is a one-to-one 
mapping between the inputs described in the WSDL and the 
parameters that we pass to $query->doGoogleSearch(). 
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Simple Queries with doGoogleSearch 

We have now seen the core of our Google search program written 
in Perl. All that's left is to review the input parameters and the con- 
tents of $results, which contains the results returned from Google. 

The documentation for the API at www.google.com/apis/ 
reference.html describes the input parameters. All of them 
are mandatory, but some of them are more important than 
others. In particular, the Google key and the query string typi- 
cally will be set, and the others will be set with simple default 
values, as you can see in Listing 1. 

Most people, including myself, typically want to query the 
widest possible number of Web pages with our queries; however, 
there are times when it is more appropriate to retrieve data only 
from servers in a particular geography or in a certain language. 
The fact that Google’s API makes this possible and straightfor- 
ward opens the door for many different interesting applications. 

Just as we send a query to Google via SOAP-encoded 
XML, we receive a result in SOAP-encoded XML. But as 
SOAP::Lite shielded us from having to write even a tiny bit of 
XML for the query, we similarly will be insulated when it 
comes to the response. The $results variable provides a Perl 
interface to the data that we received in response. 

And exactly what data will we receive? To know that, we 
can look at the WSDL file once again. It indicates (among 
other things) that we will receive responses as a set of results, 
each of which looks like this: 


<xsd:complexType name="ResultElement”> 
<xsd:all> 

<xsd:element name="summary” type="xsd:string”/> 
<xsd:element name="URL” type="xsd:string”/> 
<xsd:element name="snippet” type="xsd:string”/> 
<xsd:element name="title” type="xsd:string”/> 
<xsd:element name="relatedInformationPresent” type="xsd:boolean”/> 
<xsd:element name="hostName” type="xsd:string”/> 


<xsd:element name="directoryCategory” type="typens:DirectoryCategory”/> 


e 
e 
e 
e 
<xsd:element name="cachedSize” type="xsd:string”/> 
e 
e 
e 
e 


<xsd: 
</xsd:all> 
</xsd: complexType> 


ement name="directoryTitle” type="xsd:string”/> 


In other words, each search result we receive back from 
Google (up to a maximum of ten) will provide all of the infor- 
mation we need to create a results page that looks just like 
Google's. Moreover, we can pick and choose the elements we 
want to display, showing (for example) only the title and the 
dmoz directory category and title. Or we can show a short snip- 
pet from the searched page. Or all of these. Or none of these. 

doGoogleSearch is not the only method described in the 
WSDL file. There also are other methods, such as working with 
Google's cached pages and checking the spelling of individual 
words. When Web services were first unveiled to the public, a 
common example was that a word processor would now be 
able to call a remote Web service for spell-checking, rather 
than coming with a built-in system. That day is still far off in 
the future, but you can imagine using Google's API for an 
experimental version of such a service. 

Moreover, we can use these outputs as inputs into another 
Web service call, either locally or remotely. Combining data 
from multiple sites is an increasingly popular thing to do, espe- 
cially when combined with Google's maps API. It’s amazing to 
see what can happen when you combine services in this 
way—something that we will explore in the coming months. 


FREE SOFTWARE 


FOUNDATION 


Join us at member.fsf.org 


COLUMNS 


DAT THE FORGE 


Listing 1. 


google-query.pl 
#!/usr/bin/perl 


use strict; 
use diagnostics; 
use warnings; 


SOPs elbiiees 


# Get the Google key from ~/.google_key 

my $google key_file = “/Users/reuven/.google key” 
open GOOGLE_KEY, $google_key_file or die “Cannot read 
‘$google_key_ file’: $! “; 


my ($google_key) = <GOOGLE_KEY>; 
chomp $google key; 


close GOOGLE_KEY; 
# Get the command-line argument 


if (S$#ARGV != 0) 
{ 


print “$0: Invoke with a single argument, your Google search term.\n”; 


xis 


my $query_string = shift @ARGV; 


# Get the WSDL file 
my $google wsdl = “http://api.google.com/GoogleSearch.wsdl”; 
my $query = SOAP: :Lite->service($google wsdl); 


# Use the WSDL to make the query 

my $starting_page = 1; 

my $max_results = 10; 

my Stilter = “false: 

my $geographic_restriction = ‘ 

my $safe_search = ‘false’; 

my $language_restriction = ‘’; 

my $results = 

$query->doGoogleSearch($google_ key, 

$query_string, 
$starting page, 


Conclusion 


$max_results, 

$filter, 

$geographic_restriction, 

$safe_search, 

$language restriction, ‘utf-8', ‘utf-8’); 


my @results = @{$results->{resultElements}}; 


if (@results) 


{ 


} 


else 


{ 


# Iterate through each result we got 
my $counter = 1; 
foreach my $result (@results) 


{ 


print “Result $counter of “, $#results + 1, “:\n” 


foreach my $key (sort keys %{$result}) 


{ 
my $value = $result->{$key}; 


# Is this a hash value? If so, display it accordingly 
if (UNIVERSAL: :isa($value, ‘HASH’)) 


{ 
print “Ve skey" =n; 


foreach my $subkey (sort keys %{$value}) 


{ 
print “\t\t’$subkey’ => ‘$value->{$subkey}’\n”; 


# Display the value as a simple string 


else 


{ 
print “\t’$key’ => ‘$value’\n”; 
} 


$counter++; 


} 


print “There were no results for your query of ‘$query_string’.\n”; 


Resources for this article: www.linuxjournal.com/article/ 


This month, we took a brief look at Google's search API. Using 
some simple tools, including the SOAP::Lite module for Perl, 
we were able to build a simple command-line version of 
Google's search page. In coming months, we'll look at 
Google's map API and begin to see how we can create 
mashup services that combine multiple data sources.m 
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MARCEL GAGNE 


Figure 1. Navigating 
system processes with 
ps3 is like flying down 
into a virtual city. 


The Virtual Streets of SHOME 


Use Linux to visit virtual consoles, cities and battle zones. 


Francois, what are you looking for on Freshmeat? Quoi? A 
program to digitize you so you can go inside the computer? 
Yes, | know what it looks like in the movies, but virtual reality 
hasn't quite made it there yet. | thought you understood that 
when we discussed lightcycles months ago. No, Francois, | 
don’t think people are going to be living inside computers any- 
time soon. I’m not laughing at you, mon ami. | am just 
amused, that's all. No, I’m sorry to disappoint you, but | don’t 
think there are cities or people in your Linux system either. We 
will discuss this later. Our guests will be here any moment, and 
we must be ready for them. 

What did you say, mon ami? They are already here? 
Quickly, Francois, help our guests to their tables. Welcome, 
everyone, to Chez Marcel, where fine wine meets excep- 
tional Linux fare and the most superb clientele. When 
you have finished seating our guests, Francois, head down 
to the wine cellar and bring back the 2002 Cétes du 
Roussillon Villages. 

Francois and | were just discussing the possibility of vir- 
tual worlds inside our computers, a truly amazing prospect 
but one that is still fantasy. It’s true that amazing things 
have happened in the time I've been working with comput- 
ers. Your Linux system is one of those things, and its open 
nature means a freedom to explore that simply doesn’t 
exist elsewhere. Still, | keep thinking that the computing 
model in general is still in its infancy. Maybe it's because | 
watched too much science fiction and as a result, my 
expectations are a bit high. Think back to the movie Tron, 
for instance. In the opening sequence, Flynn the hero of 
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the show, sends a program named CLU into the system to 
locate some missing files. CLU, the program, looks like 
Flynn and moves around in a 3-D tank while a companion 
bit offers yes or no advice. There are towering skyscraper- 
like structures all around as he navigates his tank down 
digital streets. That’s the virtual computer world | wanted 
to experience in my younger days. 

Ah, Francois, you have returned with the wine. Please, 
pour for our guests. May | suggest, mes amis, that you enjoy 
the many hidden flavors in this excellent red. 

Although there may be no hidden worlds inside the sys- 
tem, plenty of things are otherwise hidden from view. 
Virtual consoles, for instance, scroll information that is hid- 
den from view once your graphical desktop starts up. Sure, 
you could jump out of your graphical session with a Ctrl- 
Alt-F1 to see what is happening out there, but there is a 
better way. To view the hidden contents of that virtual 
console, type the following at a shell prompt (you will need 
root permissions for this): 


cat /dev/vcsl 


You see, what you may not know is that your system keeps 
track of the contents of those virtual consoles (1-6) in a special 
device file, /dev/sdaX, where X is the number of your virtual 
console. For example, here is a sample of the output of the 
irst VT on my Ubuntu test system: 


* Starting OpenBSD Secure Shell server... 


ok * Starting Bluetooth services... hcid sdpd 
[ ok ] * Starting RAID monitoring services... 
ok ] * Starting anac(h)ronistic cron: anacron 
[ ok ] * Starting deferred execution scheduler... 
ok * Starting periodic command scheduler... 
ok * Checking battery state... 
ok * Starting TiMidity++ ALSA midi emulation... 
ok 


Ubuntu 6.04 “Dapper Drake” Development Branch francois ttyl 


This is interesting stuff, but it hardly qualifies as a hidden 
world, and it just doesn't have the Wow! factor my humble 
waiter is looking for. Yet, despite what | said to Francois, there 
are ways to see cities inside your Linux system. It's a bit of a 
stretch, but some fascinating visualization programs exist— 
experimental in nature—that try to create a real-world view of 
the virtual world of processes, memory and, of course, pro- 
grams. One of these is Rudolf Hersen’s ps3 (see the on-line 
Resources), and to take full advantage of ps3, you need a 3-D 
video card with acceleration. 

Compiling the program is fairly simple, but it does require 
that you have the SDL development libraries: 


tar -xjvf ps3-0.3.0.tar.bz2 
cd ps3-0.3.0 
make 
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To run the program, type ./ps3 from the same directo- 
ry, and you should see a 3-D representation of your pro- 
cess table. When it starts, you may get something other 
than an ideal view, but that’s the whole point of ps3. 

You can rotate the views in all three axes and look at the 
process table from above or below. If the processes are too 
high at the beginning, simply scale them down to some- 
thing more reasonable. Each process is identified by its 
program name and its process ID. 

Navigating the ps3 display is done entirely with the 
mouse. Click the left-mouse button and drag to rotate and 
adjust the height and speed of horizontal rotation. Click 
and and drag using the right-mouse button to rotate the 
view horizontally and vertically. The wheel on your mouse 
lets you zoom in and out. To quit the ps3 viewer, press the 
letter Q on the keyboard. 

ps3 is in no way a scientifically accurate means of viewing 
system processes, but it is enlightening and entertaining. So 
now we have virtual buildings and the makings of a virtual city 
somewhere inside your system. All we're missing now are 
tanks. Well, | may have an answer to that one as well. It’s 
called BZFlag, and this certainly calls for Francois to refill our 
glasses. Mon ami, if you please. 

BZFlag is a multiplayer 3-D tank battle game you can 
play with others across the Internet (Tim Riker is the cur- 
rent maintainer of BZFlag, but the original author is Chris 
Schoeneman). The name, BZFlag, actually stands for Battle 
Zone capture Flag. It is, in essence, a capture-the-flag 
game. To get in on the action, look no further than your 
distribution’s CDs for starters. BZFlag's popularity means it 
is often included with distros. Should you want to run the 
latest and greatest version, however, visit the BZFlag site 
(see Resources). You'll find binaries, source and even pack- 
ages for other operating systems. That way, you can get 
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Figure 2. At any given time, dozens of BZFlag servers are running 
worldwide and hundreds of people are playing. 
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everyone in on the action. 

Unless you specify otherwise, BZFlag starts in full-screen 
mode, but you can override this by starting the program with 
the -window option. The game begins at the Join Game screen. 
Before finding a server (the first option on the screen), you may 
want to change your Callsign (or nickname). We'll look at some 
of these other options after we've selected a server. For now, 
move your cursor to the Find Server label and press Enter. 

You won't have any trouble finding people to play 
with—you'll get a list of dozens of servers currently host- 
ing games (Figure 2). Scroll down the list of names to find 
one that suits you. Your criteria might be the number of 
players, how busy a server is or how many teams are 
involved. When you look at the server list, make sure you 
pay attention to the type of game being hosted on the 
server. Some have team-oriented capture-the-flag play, and 
hers host free-style action. You also may be limited by 
the number of shots at your disposal, so aim carefully. 

When you have made your choice, press Enter, and you'll 
find yourself back at the Join screen (Figure 3) with a server 
selected. You could simply start the game, but you may want 
to fine-tune a few more things before you start up your tank. 
Cursor down to the Team label, and press your left or right 
arrow keys. By default, you will be assigned to a team auto- 
matically, but you can change that here if you prefer. One of 
the roles you can play instead of joining a team is that of 
Observer. This is not a bad idea if you are new to the game, 
because it lets you watch how others are handling themselves. 


{o} 


Join Game 


Find Server 


Connect 


Callsign: Francois 
Password: 
Team: 
Server: 
Port: 


Email: 


=> Automatic @ 
viper2.pimpi.org 
5158 
mgagne@localhost.localdomain 


Start Server 


Figure 3. The Join screen lets you define your callsign as well as your team. 


The Join screen also lets you enter the name of a server 
manually, rather than search for it. This is useful for hosting 
private games on a local LAN. Speaking of hosting games, I’m 
sure you noticed the Start Server option at the bottom of that 
list. Let's go ahead and join the game. Scroll back up to 
Connect and press Enter. 

| hope you are ready, mes amis, because the action starts 
immediately, and some of these players are, well, seasoned. Move 
your tank using your mouse, and fire by clicking with the left- 
mouse button. These tanks are highly maneuverable and even can 
jump in some games (you do this by pressing the Tab key). To learn 
all the keystrokes, by the way, press Esc at any time, and select 
Help. During play, BZFlag provides an extensive heads-up display 
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Figure 4. The action is fast and tense, with tanks blowing up everywhere you turn. 
Be careful not to be one of them. 


with stats on players, kills, personal scores, team scores and more (Figure 4). 
Keep an eye on the map to your lower left, as it can alert you to enemy 
tanks. If you can drive, fire and type at the same time, press N to send a 


Micro-Server 


Internet Appliance Engine 


*Coldfire 66/80 Mhz CPU 

© 10/100BaseT Fast Ethernet 

© 16 GP I/Os & 8 Channel A/D 

* Programmable in Java™ or C 

* Telnet, FTP, and HTTP Servers 

* 3 Serial Ports, CAN 2.0B & SPI 

© uClinux with Real Time support 

° 4.5 MB Flash & up to 16 MB RAM 

© Typical Power Consumption < 2 Watts 


* Real Time Clock & Nonvolatile Memory 
© Carrier/Socket Board & Power Supply Available 
© Small, 144 pin SoDIMM form factor (2.66" x 1.5") 


he SoM-5282EM is a System on a Module, based on the Freescale MCF5282 Processor. This 

32-Bit processor runs uClinux making it extremely easy to create smart Network/Internet 
capable devices, with Data Acquisition and Control properties. If Real-Time processing is 
required we can optionally provide RTA! Real-Time extensions. Write sophisticated network 
applications in days instead of months using standard GNU tools. Single Unit pricing starts at 
$150. Optional Carrier/Socket board, Enclosure, and Power Supply also available. 
For additional information visit, www.emacinc.com/som/. 


Since 1985 1985 
OVER 
20 Ebi L. Inc. 
YE ARS OF 


SINGLE BOARD) EQUIPMENT MONITOR AND CONTROL 


SOLUTIONS 
Phone: (618) 529-4525 « Fax: (618) 457-0110 « Web: www.emacinc.com 


32 | may 2006 www.linuxjournal.com 


("__Mineity, Version 1,131, (Copynght) §Peters-copyingpoley GP 


ao18 


eeecossess 


Figure 5. Lincity is a computerized city simulation that makes you wonder why 
creating a Utopia is so darn difficult. 


chat message to the group, or M to send one only to your teammates. If 
you see the boss coming, press F12 to exit the game in a hurry. Just a little 
joke, mes amis. | would never suggest that you play this at work. 

The hour is getting late, mes amis, but | don’t want to leave you with the 
impression that all the virtual worlds that may exist in our systems are built 
entirely on destruction and mayhem. You can, in fact, build an entire civilization, 
including a city, its farms, factories, markets and every other trapping of modern 
(or premodern) civilization. Download Lincity (or check your distribution CDs) 
and start building. The idea of this highly addictive and time-consuming 
game is for you to build a city, and in the process, feed and clothe your 
people, and create jobs so you can build and sustain an economy. Invest 
in renewable energy as you strive to build a civic Utopia (Figure 5). 

As things get better and better, you can save your game and get back 
to creating this ideal world of yours. Okay, you're right, it’s not as easy at it 
sounds. The clock is ticking, and the months go by fast. Without careful 
attention, your world may wither away in its own poisons. | should warn 
you that starting from scratch may be a bit of a confidence destroyer. Why 
not start when things are good? When the game begins, click the Menu 
button in the upper left. The main window then provides you with some 
choices, including one to Load a saved game. The game comes with two: 
one is called Good Times and the other (you guessed it), Bad Times. | rec- 
ommend Good Times to get your virtual flippers wet. When you get so 
good at this that you feel you can fix anything, go for the Bad Times, and 
see if you can pull your city back from being $25 million in debt. 

The clock, mes amis, it is telling us that closing time is upon us. 
With all these sounds of artillery and explosions coming from your 
workstations, it seems obvious that we will have to stay open just a little 
longer. Francois will happily refill your glasses one final time before we 
say, “Au revoir”. The games may be all virtual, but the wine is real. It's 
a good thing too, but I’d hate to have it spilled every time someone 
fired a shot. On that note, please raise your glasses, mes amis, and let 
us all drink to one another's health. A votre santé! Bon appétit/™ 


Resources for this article: www.linuxjournal.com/article/8882. 


Marcel Gagné is an award-winning writer living in Mississauga, Ontario. He is the author of the all-new 
Moving to Ubuntu Linux, his fifth book from Addison-Wesley. He also makes regular television appearances as 
Call for Help’s Linux guy. Marcel is also a pilot, a past Top-40 disc jockey, writes science fiction and fantasy, 
and folds a mean Origami T-Rex. He can be reached via e-mail at mggagne@salmar.com. You can discover 
lots of other things (including great Wine links) from his Web site at www.marcelgagne.com. 
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Counting Cards 


Here are some Blackjack card-handling routines you can count on. 


In my last few columns, we've had a good stab at starting to 
build a Blackjack game within the confines and capabilities of 
the shell. The last column wrapped up the discussion of how to 
shuffle an array of 52 integer values and how to unwrap a given 
card to identify suit and rank so it can be displayed attractively. 

This column goes further into the mathematics of 
Blackjack, with a routine that can be given an array of cards 
and return the numeric value of the hand. If you're a Blackjack 
player though, you'll instantly catch something we're skipping 
for now. In Blackjack, an Ace can be scored as having one 
point or 11 points, which is how the hand of Ace + King can 
be a blackjack (that is, worth 21 points). 

We'll just count the Ace as being worth 11 points for this first 
pass through the game, and perhaps later we'll come back and 
add the nuance of having the Ace be worth one or 11. Note, by 
the way, that this adds significant complexity, because there are 
then four ways to score the hand of Ace + Ace (as 2, 12, 12 or 
22), so theoretically, the routine that returns the numeric value of 
a given hand actually should return an array of values. 

But, let's start with the straightforward case. Last month, | 
showed how to extract the rank of a given card with the equation: 


rank=$(( $card % 13 )) 


In a typically UNIX way, rank actually ranges from 0-12, rather 
than the expected 1-13, so because we'd like to leave cards 
#2-10 in each suit to be the corresponding value, that means we 
have the rather odd situation where rank 0 = King, rank 1 = Ace, 
rank 11 = Jack and rank 12 = Queen. No matter, really, because 
we're going to have to map card rank into numeric values anyway 
for one or more of the cards—however we slice it. 

With that in mind, here's a function that can turn a set of card 
values into a point value, remembering that all face cards are worth 
ten points and that, for now, the Ace is worth only 11 points: 


function handValue 

{ 
# feed this as many cards as are in the hand 
handvalue=0 # initialize 
for cardvalue 


do 
rankvalue=$(( $cardvalue % 13 )) 
case $rankvalue in 
0/11,12 ) rankvalue=10 
Hb ) rankvalue=11 
esac 
handvalue=$(( $handvalue + $rankvalue )) 
done 


Let’s examine some nuances to this before we go much 
further. First, notice that the conditional case statements can 
be pretty sophisticated, so we catch the three situations of 
rankvalue = O (King), rankvalue = 11 Vack) and rankvalue = 12 
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(Queen) with a succinct 0]11]12 notation. 

What | like even better with this function is that by using the 
for loop without specifying a looping constraint, the shell automati- 
cally steps through all values given to the function and then termi- 
nates, meaning we have a nice, flexible function that will work just 
as well with four or five cards as it would with only two. (It turns 
out that you can’t have more than five cards in a Blackjack hand, 
because if you get five cards and haven't gone over a point value 
of 21, you have a “five card monty”, and it’s rather a good hand!) 

Invoking this is typically awkward, as are all functions in the 
shell, because you can’t actually return a value and assign it to 
a variable or include it in an echo statement or something simi- 
lar. Here’s how we can easily calculate the initial point values of 
the player’s hand and the dealer's: 


handValue ${player[1]} ${player[2]} 
echo “Player’s hand is worth $handvalue points” 


handValue ${dealer[1]} ${dealer[2]} 
echo “Dealer’s hand is worth $handvalue points” 


Blackjack is a game that's very much in the dealer's favor, 
because the player has to take cards and play through the hand 
before the dealer has to take a single card. There’s a significant 
house advantage for this reason, but in this case, we now can 
have a loop where we ask players if they want to receive another 
card (a “hit”) or stick with the hand they have (a “stand”) by 
simply keeping track of their cards and invoking handValue after 
each hit to ensure they haven't exceeded 21 points (a “bust”). 

To get this working though, we have to restructure some 
of the code (not an uncommon occurrence as a program 
evolves). Instead of simply referencing the deck itself, we now 
have a pair of arrays, one for the player and one for the dealer. 
To initialize them, we drop the value -1 into each slot (in the 
initialization function). Then, we deal the hands with: 


player [1]=${newdeck[1]} 
player [2]=${newdeck[3]} 
nextplayercard=3 # player starts with two cards 
dealer [1]=${newdeck[2]} 
dealer [2]=${newdeck [4] } 
nextdealercard=3 # dealer also has two cards 


nextcard=5 # we’ve dealt the first four cards already 
You can see the tracking variables we need to use to 
remember how far down the deck we've moved. We don’t 
want to give two players the same card! 
With that loop in mind, here’s the main player loop: 


while [ $handvalue -lt 22 ] 
do 


echo -n “H)it or S)tand? “ 


read answer 

if [ $answer = “stand” -o $answer = “s” ] ; then 
break 

fi 


player [$nextplayercard] =${newdeck[$nextcard] } 

showCard ${player[$nextplayercard] } 

echo “** You’ve been dealt: $cardname” 

handValue ${player[1]} ${player[2]} ${player[3]} ${player[4]} ${player[5]} 


nextcard=$(( $nextcard + 1 )) 
nextplayercard=$(( $nextplayercard + 1 )) 
done 


That's the simplified version of this loop. The more sophisticated 
version can be found on the Linux Journal FTP site (ftp.ssc.com/pub/Ij/ 
listings/issue145/8860.tgz). Notice that it’s pretty straightforward. As 
long as the hand value is less than 22 points, the player can add cards or 
opt to stand. In the latter case, the break statement pulls you out of the 
while loop, ready to proceed with the program. 

Because nextcard is the pointer into the deck that keeps track of how 
many cards have been dealt, it needs to be incremented each time a card is 
dealt, but as we're using nextplayercard to keep track of the individual player 
array, we also need to increment that each time through the loop too. 

Let's look at one simple tweak before we wrap up, however. Instead of 
merely asking whether the player wants to hit or stand, we can recom- 
mend a move by calculating whether the hand value is less than 16: 


if [ $handvalue -1t 16 ] ; then 
echo -n “H)it or S)tand? (recommended: hit) “ 
else 
echo -n “H)it or S)tand? (recommended: stand) “ 
fei 


Generally, we'll have a quick demo, but notice that we do have some 
bugs in this script that need to be dealt with first, though: 


$ blackjack.sh 

** You’ve been dealt: 3 of Clubs, Queen of Clubs 
H)it or S)tand? (recommended: hit) h 

** You’ve been dealt: 8 of Hearts 

H)it or S)tand? (recommended: stand) s 

You stand with a hand value of 21 


Perfect. And here’s another run: 


$ blackjack.sh 

** You’ve been dealt: 4 of Clubs, Jack of Hearts 
H)it or S)tand? (recommended: hit) h 

** You’ve been dealt: 10 of Diamonds 


*** Busted! Your hand is worth 24 ** 


Ah, tough luck on that last one! 

Rather than point out specific problems, let me note here that being 
dealt either of the following two sequences is quite a problem: A A or 
222234. Can you see why? 

Next month, we'll look at solving these problems! m 


Dave Taylor is a 26-year veteran of UNIX, creator of The Elm Mail System, and most recently author of both the 
best-selling Wicked Cool Shell Scripts and Teach Yourself Unix in 24 Hours, among his 16 technical books. His 
main Web site is at www.intuitive.com. 
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Security Features 


in Debian 3.1 


Debian gives you every security feature you need and 
more, but using these tools can be a daunting task. 


Last month, | began a three-part series on distribution-specific 
security features, beginning with SUSE Linux 10.0. This month, 
| continue with Debian 3.1, and next month | will conclude 
with Red Hat Enterprise Linux. 

As you may recall, unless you missed last month's column or 
have been enjoying yourself in memory-impairing ways since 
then, several things about SUSE 10.0 really struck me: its wide 
variety of security-enhancing software packages and security- 
scanning tools; its inclusion of several different virtual machine 
platforms; and Novell AppArmor, which adds Mandatory Access 
Controls (MACs) to individual applications and processes. 

When | began exploring security features in Debian 3.1 
(Sarge) GNU/Linux, | was therefore particularly interested to 
determine how does Debian 3.1 compare with SUSE 10.0 in 
those areas? And, what unique security features does Debian 
bring to the table? 

Like SUSE, Debian GNU/Linux is a general-purpose Linux 
distribution designed to be useful in a wide variety of desktop 
and server roles. Also like SUSE, Debian includes a long and 
varied bundle of binary software packages. 

Unlike SUSE, Debian is a 100% not-for-profit undertaking. 
There is no expensive Enterprise version of Debian 3.1 with more 
features than the freeware version. There’s only one version of 
Debian GNU/Linux 3.1, and it’s 100% free—unless you purchase 
Debian CD-ROMs from a Debian re-packager such as LinuxCentral 
(see the on-line Resources), in which case you're paying primarily 
for the cost of CD-ROM production, not for Debian itself. 

Arguably, there are security ramifications associated with 
any purely free software product. Business-oriented IT man- 
agers love to ask, “Who's accountable when things go 
wrong?” But others point to Debian’s impressive record of 
releasing timely security patches as evidence that the Debian 
Security Team is at least as dependable and responsive as any 
equivalent commercial entity. My own opinion is that its free- 
ness isn’t a major factor one way or the other. Debian doesn’t 
have a reputation for being any more or less secure than com- 
mercial general-purpose Linux distributions. 


Installing Debian GNU/Linux 3.1 
So, what is the Debian installation experience like, and how 
does it encourage good security? 
Compared to other major general-purpose Linux distribu- 
tions, Debian’s installer is decidedly old-school. It uses a bare- 
bones, text-based GUI that does little more than install soft- 
ware packages. Although this may be off-putting to many 
users, especially those new to Linux, it minimizes the system 
resources required to install Debian and the amount of time 
you'll spend waiting for the installer to load itself into RAM. 
Software package installation, as with any Linux distribu- 
tion, is the heart of the Debian installation process, and in 


a 
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Debian 3.1 it's handled by aptitude. aptitude is similar to its 
predecessor, dselect, but with a couple of important differ- 
ences. The first is that although it’s text-based like dselect, apti- 
tude sports drop-down menus you can access by pressing the 
F10 key. The second difference is that, for me at least, aptitude 
organizes packages in a much less confusing way than dselect. 
It’s still primitive compared to the graphical package installers 
in SUSE, Red Hat Enterprise Linux and so on (and arguably 
clunkier than the text-based Slackware installer); however, apti- 
tude is a significant improvement over dselect. 

With aptitude, it’s also easy to update your local package 
list and get the latest security patches from the Debian.org site 
(see Resources). In fact, anytime you install software using the 
Advanced Packaging Tool (apt) system (for example, when you 
run aptitude or apt-get), Debian automatically checks for secu- 
rity updates for the packages you're attempting to install. 

The bad news about the Debian installer is that it doesn’t 
seem to do very much to harden your system, even in a prelim- 
inary way. It doesn't give you an opportunity to create even a 
basic local firewall policy or choose a preconfigured or default 
policy. It doesn’t even check your root and first nonprivileged- 
user account passwords for complexity (although it does warn 
you that passwords need to be complex). 

Rather, it appears as though in Debian the emphasis is on 
providing users with as wide a variety of security-related soft- 
ware packages as possible, rather than actually helping users 
set up any of those packages. Considering that Debian consists 
of more than 15,000 software packages in all, you've got 
many choices indeed. Table 1 lists some Debian packages that 
directly enhance system security. 

In addition to the local security-enhancing packages in Table 
1, Debian includes many tools for analyzing the security of 
other systems and networks. Table 2 lists some notable ones. 

Sifting through all these packages at installation time can 
be daunting. One thing that helps is aptitude’s ability to search 
for packages by name. Another is the “Securing Debian 
Manual” (see Resources). 

Once you've selected and installed your initial set of soft- 
ware packages, aptitude runs a few post-installation scripts 
(depending on what you installed). On my test system, | was 
disappointed to see very little in these scripts germane to secu- 
rity—these deal primarily with basic system setup, such as net- 
work settings. If you need to reconfigure these basic settings 
later (without editing files in /etc directly), you can re-invoke 
that part of the installer with the base-config command. 

In summary, Debian’s installation-time security features are dis- 
appointing and sparse. It may not be fair to compare the purely 
volunteer-driven Debian effort to a commercial product, but in my 
opinion, Debian sorely needs a centralized, security feature-rich 
installation and administration utility akin to SUSE’s YaST. 
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Table 1. Some Security-Enhancing Packages in Debian 3.1 


Package Name 


Description 


aide, fam, tripwire, osiris 

bastille 

bochs 

bozohttpd, dhttpd, thttpd 
chrootuid, jailer, jailtool, makejail 
clamav 

cracklib2, cracklib-runtime 
filtergen, fireflier, firestarter, 
ferm, fwbuilder, guarddog, 
mason, shorewall 

flawfinder, pscan, rats 

freeradius, freeradius-ldap, etc. 
frox, ftp-proxy 

gnupg, gnupg2, gpa, gnupg-agent 


harden, harden-clients, 
harden-servers, etc. 


ipsec-tools, pipsecd, openswan, 
openswan-modules-source 


libapache-mod-chroot, 
libapache2-mod-chroot 


libapache-mod-security, 
libapache2-mod-security 


oftpd, twoftpd, vsftpd 
privoxy 

psad 

pyca, tinyca 
selinux-utils, libselinux1 
slat 

slapd 

squidguard 
squidview, srg 
syslog-ng 

trustees 


uml-utilities 


File/system integrity checkers. 

Excellent, comprehensive and interactive (yet scriptable) hardening utility. 
Bochs virtual x86 PC. 

Minimally featured, secure Web server daemons. 

Utilities for using and creating chroot jails. 

General-purpose virus scanner. 

Library and utilities to prevent users from choosing easily guessed passwords. 


Tools for generating and managing local firewall policies. 


Scripts that parse source code for security vulnerabilities. 

Free radius server, useful for WLANs running WPA. 

FTP proxies. 

GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility. 


Actually an empty package containing only scripts that install and un-install other packages so as to improve 
system security. 


Tools for building IPSec-based virtual private networks. 


Apache module to run httpd chrooted without requiring a populated chroot jail. 


Proxies user input and server output for Apache. 


Minimally featured, secure FTP server deemons. 

Privacy-enhancing Web proxy. 

Port-scan attack detector. 

Certificate authority managers. 

Utilities and shared libraries for SELinux. 

Analyzes information flow in SELinux policies. 

OpenLDAP server demon. 

Adds access controls and other security functions to the popular Squid Web proxy. 
Log analyzers for Squid. 

Next-generation syslog demon with many more features than standard syslogd. 
Extends file/directory permissions to allow different permissions for different (multiple) groups on a single object. 


User-mode Linux virtual machine engine for Linux guests. 
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Like other major Linux distributions, Debian increases in size 
and complexity with each new release. The paradox here is that 
Debian’s ever-growing, almost unparalleled selection of software 
packages makes it more complex, even to the point of confu- 
sion—confusion causes sloppiness; sloppiness introduces avoidable 
security holes. A central administration utility would go a long way 
to reduce this confusion and enhance security for Debian neo- 
phytes and power users alike. It would go even further if it includ- 
ed modules for creating local firewall policies, managing virtual 
machines, managing SELinux or Trustees policies and so on. 

All ranting aside, | like Debian, and as of this writing, I'm 
in the process of migrating my Web server from SUSE to 
Debian (though my laptop will remain a SUSE box). It’s also 
worth mentioning that there are many unofficial Debian 
installers available, including other Linux distributions based on 
Debian and able to run Debian packages (see Resources). 

So, moving on, let’s talk about some particularly interesting 
and useful groups of security-related packages in Debian 
GNU/Linux 3.1. 


Virtual Machines in Debian 

If you want a hypervisor-based virtual machine environment, 
such as Xen for Debian, you need to obtain and compile 
source code, though that’s not too huge of a barrier. Debian 
has no Xen packages. Debian does include, however, binary 
packages for two other general-purpose virtual machine envi- 


Package Name 


dsniff, ettercap 


ethereal, tcpdump 


fping 


idswakeup 


john 


kismet 


nessus, nessusd, 
nessus-plugins 


nmap 


snort 


Description 


Packet sniffers for switched environments. 
Excellent packet sniffers. 
Flood ping (multiple-target ping). 


Attack simulator for testing intrusion detection 
systems (IDSes). 


John the Ripper, a password-cracking tool 
(legitimately used for identifying weak passwords). 


Wireless LAN sniffer that supports many wireless cards. 


Nessus general-purpose security scanner. 


Undisputed king of port scanners. 


Outstanding packet sniffer, packet logger and 
intrusion detection system. 


Speed and Reliability 
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ronments: user-mode Linux (UML) and Bochs. (It also includes 
Wine, but this is more of a shim for running specific Windows 
applications than a virtual machine per se.) 

Of Debian‘s two officially supported virtual machines, user- 
mode Linux is probably the most viable option for using virtual 
hosts to segregate different application environments, for 
example, Apache on one virtual machine and BIND9 on anoth- 
er. This is because of performance limitations in Bochs: Bochs 
emulates every single x86 CPU instruction and all PC devices. 
Bochs therefore would appear to be more suited to single 
guest-system applications, such as running Windows applica- 
tions on your Linux desktop system. The Bochs Project home 
page (see Resources) includes official documentation and links 
to mailing lists, discussion boards and so forth. Debian’s 
bochs-doc package also contains Bochs documentation. 

User-mode Linux doesn’t support Windows guest systems, 
but it is much faster than Bochs and has the added advantage 
of running all guest systems’ kernels as nonprivileged users 
(that is, not as root, like the underlying “host” kernel). See 
Debian’s user-mode-linux-doc package for more information. If 
you run a Debian guest on an underlying Debian host, you 
may need to install the user-mode-linux package (on the 
guest) from Debian’s unstable release—the stable version is 
unavailable for some reason. 

| must add a disclaimer at this point: I've never used UML 
myself, being a VMware user of long standing (see my review of 
VMware Desktop 5.5 on page 56). Therefore, | can’t tell you 
firsthand how to use UML or even how well it works in Debian. 


Enhanced Access Controls in Debian 

Several packages in Debian GNU/Linux 3.1 enhance local 
access controls. The trustees package lets you define multiple 
sets of permissions on a single file/directory/device object by 
associating a trustee object with it. For example, you can give 
members of the users group read-only access to the file 
foo.txt, and give members of the foomasters group write privi- 
leges to the same file. 

A much more comprehensive set of controls is provided by 
SELinux, the US National Security Agency's type-enforcement 
and role-based access control system for the Linux kernel. 
SELinux makes it possible to manage users, groups and system 
resources with a very high level of granularity, even to the 
extent of making it possible to restrict root’s own privileges. 

The trade-off is complexity. Creating and managing SELinux 
policies that don’t impair needed functionality can be involved. 
Luckily, besides its standard selinux-utils package, Debian includes 
checkpolicy, an SELinux policy compiler, and setools, a group of 
utilities for analyzing SELinux policies and managing users. 

If SELinux is more than you're willing to tackle, Debian 
provides several other tools for delegating root’s authority. 
sudo, of course, is the classic in this category, but there's also 
osh, the Operator's Shell. 


Limited-Feature SSH Packages in Debian 
Another interesting category of tools that are well represented 
in Debian are limited-feature Secure Shell (SSH) tools. SSH, of 
course, is an encrypted, strongly authenticated means of run- 
ning remote shells, executing remote commands and even for 
unneling other TCP-based network applications including the 
X Window System. But what if you want to offer users only a 
subset of SSH functionality—for example, encrypted file trans- 
ers, without giving them shell access? 

Two Debian packages that address this problem are rssh, 
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which allows users to use scp, rdist, rsync, cvs or sftp over SSH 
without actual shell access, and scponly, which allows scp 
without allowing remote shells. 


Filesystem Encryption in Debian 

The last category of security tools | highlight here is filesystem 
encryption. These are different from more general-purpose 
encryption tools, such as gnupg and bcrypt, which are used to 
encrypt individual files. Filesystem encryption tools let you 
encrypt entire volumes (directory structures), for example, on 
USB drives and other removable media. 

Three Debian packages that provide filesystem encryption 
are cryptsetup, which manages loopback-device encryption via 
the Linux 2.6 kernel’s dm-crypt functionality; encfs, which 
doesn’t require use of loopback devices; and lufs-cryptofs, an 
encryption module for the Linux Userland Filesystem (lufs). Of 
the three, cryptsetup offers the best performance, because it 
operates at the kernel level. The user-space filesystems, encfs 
and lufs, work at a higher layer of abstraction than the ker- 
nel—that is, they’re less efficient. They're also, however, more 
useful for networked filesystems. 


Debian's Stability 

I'd be remiss if | didn’t at least briefly discuss one of my 
favorite characteristics of Debian, and the main reason I'm 
running it on my new Web server—Debian’s relatively glacial 
release schedule. On the one hand, the delay in releasing 
Debian 3.1 (three years, or 21 dog/computer years after 3.0) 
was a bit extreme, and the Debian team has pledged a more 
predictable release cycle, probably one year from now on. But 
it’s also true that stability enhances security. 

Put another way, if you use Debian to run the latest desk- 
top applications, or other things that depend on the very lat- 
est hardware drivers, you may be happier with the Debian 
variant Ubuntu, which has a predictable and short (six-month) 
release cycle. If, however, you want to build an appliance sys- 
tem that chugs along in a corner, requiring little ongoing 
maintenance other than regular security patches, Debian’s 
longer release cycle is positively luxurious. In many situations, 
it’s preferable to run somewhat-outdated but fully security- 
patched applications than it is to have to upgrade the entire 
operating system every six months (or sooner). | admit, howev- 
er, that | am among the world’s laziest system administrators! 


Conclusion 
Like UNIX itself, Debian provides the security-minded user with 
maximal power, flexibility and variety of tools, at the cost of 
complexity. Debian GNU/Linux 3.1 is probably not for you if 
you have an aversion to man pages or Google. But it’s very 
flexible indeed. This article scratches only the surface of 
Debian’s potential as a platform for secure server operations or 
for security scanning and auditing. 

Next month, I'll conclude my “Security Features” trilogy 
with Red Hat Enterprise Linux. Until then, take care! m 


Resources for this article: www.linuxjournal.com/article/ 
8885. 


Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the 
US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition 
(formerly called Building Secure Servers With Linux), an occasional presenter at informa- 
tion security conferences and composer of the “Network Engineering Polka”. 
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Playing PlayStation 


J Games in Linux 


Run your favorite PlayStation games on Linux with PCSX. 


This article focuses on Sony PlayStation games and the PCSX 
PlayStation Emulator. | chose this particular system because you 
can find PlayStation games both on-line and in game stores, 
primarily in the Used section. 


Getting and Installing PCSX 
To get PCSX, point a browser to the Web site (see the on-line 
Resources), scroll down to the Linux port section, and down- 
load the latest build. Once you have the file, change to your 
download directory. Next, uncompress and then unpackage the 
file. For example, on the command line inside your download 
directory, you might type tar xzvf Lpcsx-1.5.tgz. 

This action creates a directory called Pcsx in your current 
location (for example, ~/Downloads/Pcsx). Now that you have 
the main tool unpacked, it’s time to download and add plugins. 


Getting Plugins and BIOS 

PCSX is just a program shell. Plugins provide the functionality 
you need in order to play your games. To find a good selection, 
go to the Next-Gen Emulation site (see Resources) and click 
PlayStation. Along the left-hand side of the PLUGINS section of 
links, click Linux Plugins to find your options. 

The plugins | selected were Pete’s XGL2 Linux GPU (video), 
P.E.O.Ps Linux OSS SPU (sound), CDR Mooby Linux (to use ISO 
files of my games instead of the CDs) and padJoy. If you want 
to learn more about any of the plugins, click the home icon 
next to the entry in the listing. Otherwise, click the disk next to 
it in order to download the file. Either save them directly into 
the Plugin subdirectory (for example, ~/Downloads/Pcsx/Plugin), 
or copy them there once you have them downloaded. 

In addition to plugins, you need a PlayStation BIOS. 

“Need” is a strong word—PCSX comes with a rudimentary 
BIOS, but many recommend downloading a real PlayStation 
version for the best game compatibility. It’s legally questionable 
to offer the BIOS content so | won't give you a link. However, 
reading TheGing’s Guide to PlayStation BIOS Images (see 
Resources) will not only educate you more about PlayStation 
BlOSes, it will give you a list of versions to try. Enter the name 
of the version you want to use in a search engine, and you'll 
find the files soon enough. Save the file into the Bios subdirec- 
tory (for example, ~/Downloads/Pcsx/Bios), or move it there 
once you have it. 


Installing the “Easy Stuff” 
Some parts are simple to install, and some parts are more diffi- 
cult. Let's start with the easy ones, beginning with the BIOS. It 
probably came in a file ending in .zip, so use either your graph- 
ical file manager to uncompress it, or type unzip filename to 
do it by hand (for example, unzip scph1001.zip). That's it. 
It's installed. 

Next, we install Pete's XGL2 Linux GPU plugin. As you 
might guess from the name, if you know much about sound in 
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Linux, this plugin uses the Open Sound System (OSS). If your 
system doesn’t use OSS, you need to install and set it up 
before your sound will work. Your distribution already may 
have it in place; see the documentation for details or search 
your package management system. 

The tarball you downloaded for this plugin is in a file 
similar to goupetexg!208.tar.gz. Using your preferred method, 
unpack the file. There is no configuration directory by default, 
so create Pcsx/cfg (for example, ~/Downloads/Pcsx/cfg). Now, 
copy the files gouPeteXGL2.cfg and cfgPeteXGL2 into the 
cfg directory. 

Getting the PE.O.P.s Linux OSS SPU plugin, whose filename 
is similar to spupeopsoss108.tar.gz, is a nearly identical pro- 
cess. Unpackage it in Plugin, and then copy spuPeopsOSS.cfg 
and cfgPeopsOSS into the cfg directory. 


Installing CDR Mooby Linux 

This plugin can be a bit tougher. The installation can appear to go 
well and then not work, but there’s a quick fix available, so don’t 
worry. CDR Mooby comes in a file similar to cdrmooby2.8.tgz. 
Unpack this tarball in the Plugin directory. This should be all 
you need to do. However, if you find later when you start 
PCSX, you see the error (the program will start anyway, look 
on the command line): 


libbz2.so.1.0: cannot open shared object file: No such 
file or directory 


then PCSX is looking in the wrong place for this library. Type 
one of the following two commands (try locate first, and if it 
doesn’t work, try find): 
locate libbz2.so.1.0 
or: 
find / -name libbz2.so.1.0* 2> /dev/null 

As an example, your result might include: 
/usr/lib/libbz2.s0.1.0.2 
If so, notice the difference in the filenames. To make a symbol- 
ic link so PCSX can find the library, using the example above, 
type (as root): 
In -s /usr/lib/libbz2.s0.1.0.2 /usr/lib/libbz2.so0.1.0 


Adjust what you type accordingly. 


Installing padJoy 


I've saved the “worst” for last. You don't have to use a game 


controller to use PCSX (the keyboard works too), but you may want to use 
a game controller to get a genuine PlayStation experience. 

| say this is the worst because there’s more to padJoy than simply 
installing the plugin. You also have to get your game controller working, 
but one thing at a time. First, make sure you installed the tools necessary 
to compile C programming code (such as GCC). You also need the 
GNOME development tools. In addition, make sure that you have 
gtk-devel—though it may be called something like gtk+-devel in your 
package management system. 

Once you have everything you need in place, compile the padJoy 
plugin. The padJoy file you downloaded looks similar to padJoy082.tgz. 
Unpackage it in the Plugin folder, and it creates its own subdirectory called, 
not surprisingly, padJoy (for example, ~/Downloads/Pcsx/Plugin/padJoy). 
Enter padJoy/src (so, for example, ~/Downloads/Pcsx/Plugin/padJoy/src), and 
type make. This command should compile the plugin. If the compilation 
fails, you may be missing a dependency—hopefully, there are hints avail- 
able in the output displayed. 

You now find the files cfgPadJoy and libpadJoy-0.8.so in the src direc- 
tory. Copy cfgPadJoy into Pcsx/cfg (so, ~/Downloads/Pcsx/cfg) and 
libpadJoy-0.8.so into Pcsx/Plugin (so, ~/Downloads/Pcsx/Plugin). 

Before you proceed, consider the game controller you intend to use 
with padJoy. Do you already own one? Is it digital or analog? Does it 
have a connector that can attach to your computer, such as USB? Does 
it require a game port, and do you have one? (Check your sound card 
if you aren't sure.) Does it have its own funky connector? If you own 
an Xbox controller already (not the Xbox 360, which uses USB, but the 
original Xbox), you can go to Dan Gray's site (see Resources) and read 
how to use a bit of soldering to convert the controller's connector to 
use USB—use these instructions at your own risk, of course. If you own 
another type of controller with a proprietary connector, you can usually 
purchase a third-party converter on-line. 

| tried two different controllers with PCSX. First, | dug around and 
found a joystick that connects to a computer’s game port. Then | discov- 
ered that my SoundBlaster Live! card has a game port. The first thing | 
noticed is that the joystick devices didn’t exist by default on my system 
(look for /dev/jsO and/or /dev/input/jsO, these are often symlinked together); 
however, that’s because my distribution uses devfs and creates only the 
devices it needs at the time. All | had to do was become the root user and 
type the following two commands: 


modprobe analog 
modprobe joydev 


Then, when | typed 1s /dev/j* /dev/input/j*, | found that the 
device /dev/input/jsO had been created, showing that the system found my 
joystick. If you think that you have everything set up properly and are just 
missing the device file, type mknod /dev/input/js@ c 13 0 to create 
it. To test your joystick (or gamepad, or whatever you're using), you 
need the joystick tools installed if they aren't already. Then, type jstest 
/dev/input/js0 (adjusting the path for your driver file). You should 
see output such as: 


Joystick (Analog 3-axis 4-button joystick) has 3 axes and 4 buttons. Driver version is 2.1.0. 
Testing ... (interrupt to exit) 
Axes: 0: Bio @ 2:-22892 Buttons: QO:off l:off 2:off 3:off 


If you see this, it’s a good sign. Move the joystick controller around and 
press some buttons. The numbers should change and the button positions 
should change. If this happens, you're ready to move on. Press Ctrl-C to 
get out of the tool. If you see an error message or nothing, the joystick 
isn't being recognized. You can find a list of all supported input hardware 
on SourceForge (see Resources). It is often possible to get third-party 
converters that allow you to hook up game console controllers such as 
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PlayStation 2 gamepads. Typically, if you can attach a gamepad 
through USB, you can use it. 

If you have an original Xbox controller, you can modify 
it to connect to regular USB (again, see Dan Gray's site for 
details); however, it will no longer be usable with your 
Xbox after that. Xbox 360 controllers, on the other hand, 
have USB connectors. Gentoo users can turn to the Gentoo 
Wiki (see Resources) for more information on using the 
Xbox 360 controller. Users of other distributions can as 
well, but will have to adjust their instructions for their ver- 
sions of Linux. For example, they will have to learn how to 
build a kernel from scratch if their kernel’s xpad driver isn't 
as new as the one linked to from the Gentoo site (the driv- 
er for Fedora Core 4's kernel 2.6.14-1.1656_FC4-i686 was 
far older at version .5 compared to the 1.6 of the version 
that supports the 360 controller, so you likely will need to 
update). Those using Xbox controllers will need the xpad 
driver. Because they are USB controllers, your system will 
load the driver for you when you plug in the gamepad—if 
the pad is properly recognized. The same jstest program 
works here as well. 

Once you're (relatively) sure you have your hardware work- 
ing and all of your plugins properly installed, you can finally 
move on to configuring your emulation software. 


Configuring PCSX and Plugins 

PCSX is just a core program. It requires plugins to do anything, 
and you already have these installed. To configure the plugins, 
change to the directory you created when you unpacked the 
files—for example, ~/Downloads/Pcsx. From there, run the 
program from the command line by typing ./pcsx. 

A Pcsx Msg dialog appears, telling you to configure the 
program. Click OK to open the PCSX Configuration dialog 
(Figure 1). Many of these dialog boxes don't need you to do 
anything unless you have a specialty in sound or graphics and 
like to tweak things, so | will skip to those that are essential. 

The main dialog box to configure is the Pad section, so 
click Configure under Pad 1 (Figure 2). 

Next to Emulation, click the PCSX radio button. If your 
controller is analog, check the analog check box as well. 
From here, you can click the various buttons to change what 
they map to. With a joystick, for example, you might click 
the up arrow in the left cluster of four and then press the 
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Figure 1. The Main PCSX Configuration Dialog 
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Figure 2. The PAD Config Dialog 
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Figure 3. The Main PCSX Window 


joystick handle forward. You can set some of these buttons 
to map to your keyboard as well, but your keyboard options 
are limited, so try to keep most on the controller. If you're 
into creating macros, use the M buttons on the bottom. 

Click OK when you are finished mapping the keys. If you 
have two controllers, click the Configure button under Pad 2 
and repeat the process for the second one—make sure to 
change its device listing; you can use jstest to confirm for 
yourself which pad is jsO and which pad is js1. After setting up 
the controllers, you need to tell PCSX which BIOS to use. 
Otherwise, under the BIOS section, select the BIOS that you 
downloaded. To do so, find the Bios section and use the drop- 
down list box to choose the BIOS in the listing. 

Your configuration is now complete. Click OK, if all went 
well, and PCSX starts (Figure 3). 


Preparing to Play 

PCSX can’t read a PlayStation CD-ROM directly unless you use a different plug- 
in than the one | chose. Don’t despair. | chose the different plugin for a reason. 
It is, in fact, much faster for game play if you create an image of the game 
CD-ROM(s) and store them on your hard drive. You can’t use most standard 
tools to do this, however, because there are many little issues in the way (see 
the Mega Games site if you're interested). Instead, use cdrdao to build an ISO 
file from the CD's raw content. For many, the command will look like this: 


cdrdao read-cd —read-raw —datafile frogger.bin 
>—device ATAPI:0,0,0 —-driver generic-mmc-raw frogger.toc 


where frogger.bin is the data file to create (the CD you will select when it 
comes time to play), and frogger.toc is the table of contents file to create. 
Both of these files are named after the game, so | easily can tell which one 
| want to choose. The ATAPI:0,0,0 entry will work for most CD-ROM drives. 


Finally, Playing a Game 
Yes, it's been a long haul, but you finally can attempt to play a game. I'll warn 
you right now that not all games will work. Frogger worked immediately, but 
I'm still fussing with Final Fantasy VII, which is, of course, a more complex game. 
Start PCSX just as you did earlier: enter the Pcsx directory and type 
./pcsx. This time, only the PCSX dialog appears. If you need to, use the 
Configuration menu to adjust your settings. When you're ready to play, 
select File—Run CD and then navigate to where you stored your .bin and 
.toc files. Select the .bin file for the game, and click OK (Figure 4). It might 
take a bit of practice to figure out your control setup, but it gets easier. 


Figure 4. Frogger for the Original PlayStation Running in PCSX 


Make sure you’re not running something that hogs processor time or RAM 
in the background. You can watch for this by opening a terminal window and 
typing top to open the process monitor. You may find that trying to make the 
game window larger doesn’t work and, in fact, even crashes your machine. If 
you want to run a game through the specified BIOS, choose File—Run CD 
Through BIOS. This action might convince some touchy games to play. 


Resources for this article: www.linuxjournal.com/article/8888. 


Dee-Ann LeBlanc (dee-ann.blog-city.com) is an award-winning technical writer and journalist specializing in 
Linux and miniature huskies. She welcomes comments sent to dee@renaissoft.com. 


@ S 


"Company With A Vision 


1-877-25-SERVER : www.genstor.com 


Great Minds — Great Solutions 


Customized Solutions For 


SERVERS ©: STORAGE : : APPLIANCES 


Linux :: FreeBSD :: x86 Solaris :: MS etc. 


SERVERS 


LOW POWER - BUDGET - HIGH DENSITY 
(1U, 2U, 3U and above - Xeon, P4, Opteron, VIA) 


2U Dual Xeon/Opteron Server 
Upto 24GB RAM 

Upto 8 SATA/SCSI HDD 
Starting @ $ 2000.00 

Call for your customneeds 


STORAGE 
SATA - NAS - DAS - iSCSI - SAS Storage Solutions 
5U Dual Xeon/ 


a a" Opteron SATA Storage 
a a Upto 24GB RAM 

- a ° Upto 26 SATA HDD 

a | P| Upto 13TB Storage 

5) a. Starting @ $ 3930.00 


Call for your custom needs 


CUSTOM APPLIANCE SOLUTION 


Prototype - Certifications - Logo Screen Printing 


Custom Turnkey OEM Appliance Solutions 
From Prototype to Drop Ship 

Custom OS/Software Image Installs 

No Quantity is small to Customize 

Call for your Custom OEM Solutions 


Contact Genstor For Your Hardware Needs : 


Genstor specializes in customizing hardware around the 
OS of your choice (Linux, *BSD, x86 Solaris etc.) with 
Intel and AMD offerings. Please contact Genstor 
sales@genstor.com for all your hardware needs. 


GENSTOR SYSTEMS, INC. 


780 Montague Exp. # 604, San Jose, CA 95131 
Phone: 1-877-25 SERVER or 1-408-383-0120 
Email: sales@genstor.com Fax: 1- 408 -383 - 0121 


Prices, Products and Availability subject to change without notice. 


COLUMNS 


BEACHHEAD 


JON “MADDOG” HALL 


Tales from the Beach 


Maddog introduces his new column with liquid poetry in motion. 


| have always loved the ocean, and by very definition, 
the beach. Jimmy Buffet was always my favorite singer, 
not just because of the music, which mostly told of fun 
and carefree days, but because of his music’s relation 
with the sea and the beach. Of course, | like organ music 
too, and cathedrals, but anyone who is not swayed by 
Jimmy's magic in my book is a little bizarre. 

When | was living in California, | would often go to 
the Santa Cruz Boardwalk to people watch. Santa Cruz 
was the first place | took Linus Torvalds and his young 
family when they moved to California. It is the stuff of the 
Beach Boys and surfer living, but families go there too to 
relax and watch the sea lions. Few people get angry at the 
beach. | also enjoy going to Florianopolis, Brazil, every 
year during our winter to attend OpenBeach—a bunch of 
geeks and their loved ones sitting around, sunning and 
talking about Software Livre! 

Sailors also like beaches, and | like sailing. Not 
“racing sailing” (sorry, Don Becker of Beowulf fame) 
but “cruising sailing”, with a cooler of cold drinks in the 
cockpit and one hand on the helm, your friends sunning 
themselves on the foredeck. Sailing your boat into a 
quiet cove, dropping anchor in the shallow water and 
diving overboard for a swim to a small island restaurant 
on the beach. “No shoes, no shirt...no problem!” 
Bathing suits are overdress. 

Many late nights (and early mornings) in Bermuda, 
Tortola, St. Johns, Veracruz and “Floropa” with friends 
at various “Pirate Bars” (and you know who you are!). 
Reggae or Latino music rules in those spots (although 
good ole rock and roll also works), as young bodies hop 
to the beat and old men and women hold hands and 
watch, remembering when they were young. Beach 
restaurants, music everywhere...Gilberto Gil seems to 
Creatively weave a Commons ground (a tip of the hat to 
Lawrence Lessig). | wish the United States had a minister 
of culture like Mr. Gil. 

Blue penguins (also known as fairy penguins) are so 
small they come ashore only at dusk and in waves, so 
the predators that typically swoop from the sky will be 
confused at the numbers. They waddle madly for the 
cover of the tall beachhead grass and their nests, where 
they are safe. 

There is, of course, a darker side to the beach. It is 
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where the full force of the ocean meets the earth. 
Victims of hurricanes and of the Tsunami in Asia under- 
stand that all too well. It is also the spot that a lot of 
the fiercest battles were waged, as armies of men tried 
to come ashore in times of war, with little cover from 
enemy weaponry. 

And in these days, development of the beachhead 
leaves many without access. People with money and 
power buy the land and close it off so others cannot 
access it. To be fair, some people who want to use the 
beach do not treat it well, leaving garbage and glass 
where they should not. The people who close off the 
beach say it is “to protect their property” or to “protect 
their privacy”, but it still limits the resource. 

The beachhead should be available for everyone, for 
there is only a limited amount of beaches on the planet, and 
everyone should be able to enjoy them. 

So this column is named Beachhead, and it describes 
me (think “Parrot Head” and you will understand), the 
beach itself and a frame of mind. | hope that sometimes 
it brings you joy and fun, like walking barefoot on a 
hot day down the beach with your best friend, waves 
splashing over your feet and a cold drink in your hand, 
watching for the penguins. 

Some days it will not be so nice, casting a storm 
warning. Some may stay, not believing the warning. 
Others may evacuate, fearing the tides will be too high, 
and others will batten down, knowing that the seawall 
may go, but unless they are there with the sandbags, 
disaster will certainly happen. Free and Open Source 
people that | have met always have sandbags. 

And some days there will be news of the Tsunami, 
and it will hurt, but we know that life will go on and 
renew. We have friends to help us. 

Welcome to the Beachhead.m™ 
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DOC SEARLS 


Linus Takes a Pass 
on the New GPL Draft 


The “Readers Digest” version of the Linux Torvalds vs. GPLv3 controversy. 


In January 2006, the Free Software Foundation (FSF) released 
in draft form (gplv3.fsf.org/draft) a revised and updated ver- 
sion of the GNU General Public License (GPL). Linux has grown 
for 14 years under version 2 of the GPL. Naturally, there was 
immediate interest in how the new draft would go down with 
Linus Torvalds, who created Linux and chose the original license. 


Linus chose to keep Linux licensed under GPLv2. 
How and why Linus made that choice is made clear by 


exchanges on the Linux-Kernel Mailing List (LKML) between 
January 25, 2006 and February 2, 2006, mostly on the thread 


“GPL V3 and Linux—Dead Copyright Holders”. It's such an 


interesting read, | decided to excerpt and quote the most rele- 


vant sections here. 


On Wednesday, January 25, 2006, Chase Venters wrote: 


This means that when the code went GPLv1—>GPLv2, the 
transition was permissible. Linux v1.0 shipped with the 
GPLv2. It did not ship with a separate clause specifying 
that “You may only use this version of the GPL” as it now 
does. (| haven't done any research to find out when this 
clause was added, but it was after the transition to v2.) 


Here's how Linus first weighed in: 
Bzzt. Look closer. 


The Linux kernel has always been under the GPLv2. 
Nothing else has ever been valid. 


The “version 2 of the License, or (at your option) any 
later version” language in the GPL copying file is not— 
and has never been—part of the actual License itself. It’s 
part of the explanatory text that talks about how to 
apply the license to your program, and it says that if you 
want to accept any later versions of the GPL, you can 
state so in your source code. 


The Linux kernel has never stated that in general. Some 
authors have chosen to use the suggested FSF boiler- 
plate (including the “any later version” language), but 
the kernel in general never has. 


In other words: the default license strategy is always just the 
particular version of the GPL that accompanies a project. If 
you want to license a program under any later version of 
the GPL, you have to state so explicitly. Linux never did. 


So, the extra blurb at the top of the COPYING file in the 
kernel source tree was added not to change the license, 
but to clarify these points so that there wouldn't be 
any confusion. 
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The Linux kernel is under the GPL version 2. Not any- 
thing else. Some individual files are licensable under v3, 
but not the kernel in general. 


And quite frankly, | don't see that changing. | think it’s 
insane to require people to make their private signing keys 
available, for example. | wouldn't do it. So | don’t think the 
GPLv3 conversion is going to happen for the kernel, since | 
personally don’t want to convert any of my code. 


The thread then continued: 


If a migration to v3 were to occur, the only potential 
hairball | see is if someone objected on the grounds that 
they contributed code to a version of the kernel Linus 
had marked as “GPLv2 Only”. IANAL. 


And, Linus responded: 


No. You think “v2 or later” is the default. It’s not. The 
default is to not allow conversion. 


Conversion isn’t going to happen. 


Here's how Linus put it in a summary posting on 
January 27, 2006: 


Linux has been v2-only for a /ong time, long before 
there was even any choice of licenses. That explicit “v2 
only” thing was there at least for 2.4.0, which is more 
than five years ago. So this is not some sudden reaction 
to the current release of GPLv3. This has been there 
quite independently of the current GPLv3 discussion. 


If you disagree with code you write, you can (and always 
have been able to) say so, and dual-license in many dif- 
ferent ways, including using the “or later version” lan- 
guage. But that doesn't change the fact that others (a 
lot of others) have been very much aware of the “v2 
only” rule for the kernel, and that most of the Linux 
kernel sources are under that rule. 


People argue that Linux hasn't specified a version, and 
that by virtue of paragraph 9, you'd be able to choose 
any version you like. | disagree. Linux has always speci- 
fied the version: | don’t put the license in the source 
code, the source code just says: “Copyright (C) 
1991-2002 Linus Torvalds”, and the license is in the 
COPYING file, which has ALWAYS been v2. Even before 
(for clarification reasons) it explicitly said so. 


In other words, that “if no version is mentioned” simply isn't 


even an argument. That's like arguing that “if no license is 
mentioned, it’s under any license you want”, which is crap. 
If no license is mentioned, you don’t have any license at all 
to use it. The license AND VERSION has always been very 
much explicit: linux/COPYING has been there since 1992, 
and it’s been the version_2 of the license since day 1. 


People can argue against that any way they like. In the 
end, the only way you can really argue against it is in 
court. Last | saw, intentions mattered more than any 
legalistic sophistry. The fact that Linux has been dis- 
tributed with a specific version of the GPL is a big damn 
clue, and the fact that | have made my intentions very 
clear over several years is another HUGE clue. 


| don't see any real upsides to GPLv3, and | do see 
potential downsides. Things that have been valid under 
v2 are no longer valid under v3, so changing the license 
has real downsides. 


Quite frankly, if we ever change to GPLv3, it’s going to be 
because somebody convinces me and other copyright 
holders to add the “or any later license” to all files, just 
because v3 really is so much better. It doesn’t seem likely, 
but hey, if somebody shows that the GPLv2 is unconstitu- 
tional (hah!), maybe something like that happens. 


So I'm not entirely dismissing an upgrade, but quite frankly, 


to upgrade would be a huge issue. Not just |, but others 
that have worked on Linux during the last five to ten years 
would have to agree on it. In contrast, staying with GPLv2 is 
a no-brainer: we've used it for almost 15 years, and it's 
worked fine, and nobody needs any convincing. 


And that really is a big issue: GPLv2 is a perfectly fine 
license. It has worked well for us for 14 years; nothing 
really changed with the introduction of GPLv3. The fact 
that there is a newer license to choose from doesn’t 
detract from the older ones. 


A major sticking point for Linus is fresh language in GPLv3 
that, to quote the license draft, “intrinsically disfavors techni- 
cal attempts to restrict users’ freedom to copy, modify, and 
share copyrighted works”. 

Returning to the thread, on Wednesday, February 1, 2006, 
Karim Yaghmour wrote: 


DRM is something worth fighting, but we need some- 
thing that attacks the root problem, not its symptoms. 
In comparison, GPLv2 was indeed successful in that it 
attacked the root problem of software distribution free- 
dom. How it may leverage that by introducing restric- 
tions on symptoms of another problem still evades me. 


Linus responded: 


Don’t complicate a simple task 


Keep basic tasks just that with handheld, stationary and 
vehicle-mounted wireless data collection from AML. While others 
are busy reinventing the wheel, we’re keeping things simple, 
from our products to our personal service. Visit us at www.amltd.com 


or call 1.800.648.4452 for a real live person. 


NEVER COMPLICATED” 


M7100 Wireless Family 
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Side note: the reason GPLv2 is so successful at fighting 
the root problem of using copyright to fight restrictive 
copyrights is that it makes “interesting material” avail- 
able under a license that forbids further restricting it. 


| would suggest that anybody who wants to fight DRM 
practices seriously look at the equivalent angle. If you 
create interesting content, you can forbid that content 
ever be encrypted or limited. 


In other words, | personally think that the anti-DRM clause 
is much more sensible in the context of the Creative 
Commons licenses, than it is in software licenses. If you 
create valuable and useful content that other people want 
to be able to use (catchy tunes, funny animation, good 
icons), | would suggest you protect that content by saying 
that it cannot be used in any content-protection schemes. 


Afaik, all the Creative Commons licenses already require 
that you can’t use technological measures to restrict the 
rights you give with the CC licenses. The “Share Alike” 

license in particular requires all work based on it also to 
be shared alike—that is, it has the “GPL feel” to it. 


If enough interesting content is licensed that way, DRM 
eventually becomes marginalized. Yes, it takes decades, but 
that’s really no different at all from how the GPL works. The 
GPL has taken decades, and it hasn't “marginalized” com- 
mercial proprietary software yet, but it’s gotten to the point 
where fewer people at least worry about it. 


As long as you expect Disney to feed your brain and 
just sit there on your couch, Disney & Co. will always be 
able to control the content you see. DRM is the smallest 
part of it—the crap we see and hear every day (regard- 
less of any protection) is a much bigger issue. 


The GPL already requires source code (that is, non-pro- 
tected content). So the GPL already does have an anti- 
DRM clause as far as the software is concerned. If you 
want to fight DRM on non-software fronts, you need to 
create non-software content, and fight it there. 


| realize that programmers are bad at content creation. 
So many programmers feel that they can't fight DRM 
that way. Tough. Spread the word instead. Don’t try to 
fight DRM the wrong way. 


In a February 2, 2006 post, Linus replied to a suggestion that 


GPLv2 is itself deficient at fighting DRM. Here’s the suggestion: 


The point is not only getting access to the source code, 
but also being able to change it. Being able to freely 
study the code is only half of the beauty of the GPL. 
The other half, being able to change it, can be very 
effectively stopped using DRM. 


And, Linus’ reply: 
No it cannot. 
Sure, DRM may mean that you cannot install or run 
your changes on other people’s hardware. But, it in no 


way changes the fact that you got all the source code, 
and you can make changes (and use their changes) to 
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it. That requirement has always been there, even with 
plain GPLv2. You have the source. 


The difference? The hardware may run only signed ker- 
nels. The fact that the hardware is closed is a hardware 
license issue. Not a software license issue. I’d suggest you 
take it up with your hardware vendor, and quite possibly 
just decide not to buy the hardware. Vote with your feet. 
Join the OpenCores groups. Make your own FPGAs. 


And it's important to realize that signed kernels that 
you can’t run in modified form under certain circum- 
stances is not at all a bad idea in many cases. 


For example, distributions signing the kernel modules 
(that are distributed under the GPL) that they have com- 
piled, and having their kernels either refuse to load 
them entirely (under a “secure policy”) or marking the 
resulting kernel as “tainted” (under a “less secure” poli- 
cy) is a GOOD THING. 


Notice how the current GPLv3 draft pretty clearly says 
that Red Hat would have to distribute its private keys so 
that people sign their own versions of the modules they 
recompile, in order to re-create their own versions of 
the signed binaries that Red Hat creates. That’s INSANE. 


Btw, what about signed RPM archives? How well do 
you think a secure auto-updater would work if it cannot 
trust digital signatures? 


| think a lot of people may find that the GPLv3 “anti- 
DRM” measures aren't all that wonderful after all. 


Because digital signatures and cryptography aren't just 
“bad DRM". They very much are “good security” too. 


Babies and bathwater.... 
Then, also on February 2, 2006, Pierre Ossman wrote: 


So taking open software and closed hardware and combin- 
ing it into something that | cannot modify is okay by you? 


Linus responded: 


But you CAN modify the software part of it. You can 
run it on other hardware. It boils down to this: we 
wrote the software. That's the only part / care about, 
and perhaps (at least to me) more importantly, because 
it’s the only part we created, it's the only part | feel we 
have a moral right to control. 


| literally feel that we do not—as software developers— 
have the moral right to enforce our rules on hardware 
manufacturers. We are not crusaders, trying to force peo- 
ple to bow to our superior God. We are trying to show 
others that cooperation and openness works better. 


That's my standpoint, at least. Always has been. It’s the 
reason | chose the GPL in the first place (and it’s the 
exact same reason that | wrote the original Linux copy- 
right license). | do software, and | license software. 


And | realize that others don’t always agree with me. 
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That's fine. You don’t have to. But | licensed my project 
under a license / agreed with, which is the GPLv2. 
Others who feel differently can license under their own 
licenses. Including, very much, the GPLv3. 


I'm not arguing against the GPLv3. 


I'm arguing that the GPLv3 is wrong for me, and it's not 
the license | ever chose. 


And, also on February 2, 2006, Pierre Ossman continued: 
Then | have to ask, why GPL and not a BSD license? 
GPL is after all, forcing our beliefs onto anyone who 


wishes to benefit from our work. 


In response to this post, his last post on this thread, Linus 


unpacked his differences with the Free Software Foundation: 


Yes, a lot of people see the GPL as a “crusading” 
license, and | think that’s partly because the FSF really 
has been acting like a crusader. 


But | think that one of the main reasons Linux has been 
successful is that | don’t think the Linux community real- 
ly is into crusading (some small parts of it are, but it’s 
not the main reason). | think Linux has made the GPL 
more “socially acceptable”, by being a hell of a lot less 
religious about it than the FSF was. 


So to me, the point of the GPL is not the “convert the 
infidels” logic, but something totally different—" quid 
pro quo”. 


This is where | started out. My initial reason for my orig- 
inal license (which was also “you must make changes 
available under the same license”) was not crusading, 
but simple reciprocity. | give out source code—you can 
use it if you reciprocate. 


In other words, to me, the GPL “give back source” is an 
issue of fairness. | don’t ask for anything more than | 
give. | ask for source code and the ability to incorporate 
your changes back into my use, but | don’t want to limit 
your use in any way. 


So in my world view—not as a crusader—the GPLv2 is 
fair. It asks others to give back exactly what | myself 
offer: the source code to play with. | don’t ask for con- 
trol over their other projects (be they hardware or soft- 
ware), and | don’t ask for control over copyrights (in the 
kernel, people are encouraged to keep their copyrights, 
rather than sign them over to me). 


| only ask for exact reciprocity of what | give: the license for 
me to use freely the changes to source code that | initiated. 


The GPLv3 fundamentally changes that balance, in my 
opinion. It asks for more than it gives. It no longer asks 
for just source back, it asks for contro/ over whatever 


Now, my very earliest original license (and the GPLv2) fit 
my notion of reciprocity, and as mentioned, that was the 
reason | “originally” selected that over the BSD license. 
However, over time, having seen how things evolve, I’ve 
come to appreciate another aspect of the GPLv2, which is 
why | would never put a project | personally really cared 
about under the BSD license—encouraging merging. 


I've come to believe that the BSD license is not a “sus- 
tainable” license, because while it encourages (and 
allows) forking even more than the GPL does, it does 
not encourage merging the forks back. 


And I've come to the private conclusion that the real value 
of a fork is lost if you don’t have the ability to merge back 
the end result. Not that all forks should be merged back— 
most forks are dead ends—but the firm ability to merge 
back /fit turns out to be something other than a dead end. 


The GPL guarantees you the right to both fork and merge 
the result back—equally, and on both sides. That makes it 
sustainable. In contrast, the BSD license encourages fork- 
ing, but also allows for not merging back, and that means 
that if the project ever gets to the point where there are 
economic or political reasons to diverge, it will eventually 
diverge, and there is no counteracting force at all. 


Now, not all projects have any economic incentives to 
diverge. There are good reasons to stay on one base, and 
the costs of forking are bigger than the advantages. So pro- 
jects like Apache and Sendmail have worked fine—the pain 
of being different (when you're “just” a network service) is 
generally much higher than the gain of differentiation. 


But just about anywhere else, the “cohesion” of a BSD- 
licensed project is just lower. You'll have people make a 
commercial release of it, and they'll spend a bit more 
effort on it, and eventually the original freely licensed 
project will become immaterial. 


So long-term, | believe that a GPL'd project is stabler. | 
believe, for example, the fact that Wine switched over to 
the LGPL (which shares a lot of the cohesion argument) was 
a very important decision for the project, and that it would 
eventually have otherwise become irrelevant, and the com- 
mercial users of the BSD-licensed code would have taken 
over. But note that my second reason is not why | began 
using the GPLv2, and that it’s also equally true of the GPLv3 
and LGPL. Anyway, there are other reasons | like the GPLv2. 
It's a “known entity” and it’s been around for a long time. 


In fact, even in -92, when | switched to the GPL, that 
“known factor” part was a major secondary reason for 
switching. | could have tried to just change my own 
license—but | felt it was an advantage to be something 
that people knew about, and not have to explain it and 
check it with lawyers. The fact that the GPLv2 was still 
“young” back then was nothing compared to how wet 
behind the ears my own license was. 


system you used the source in. What we have here is an excellent look at just how conser- 
vative and practical Linus, Linux and open-source development 
See? | think the GPLv3 makes perfect sense as a conver- all are. 


sion tool. But as a “please reciprocate in kind” tool, the 


GPLv2 is better. Doc Searls is Senior Editor of Linux Journal. 
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of those pesky cooling fans. VIA Technologies wishes to save you such agony, 
and to that end has released the fanless Eden and Eden ULV processors. 
Boasting 90nm manufacturing technology and sipping a meager 3.5 watts 
for their 1GHz ULV processor, it's just the ticket for an application requiring 
either low power or low heat specs. For something with a little more umph, 
the 1.5GHz version is still a power miser, consuming only 7 watts. And 
Linux is fully supported, of course. 

www.via.com.tw 
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If you truly love your data, let it run away. If it does- 
n't come back, restore it from backups using 
BakBone’s NetVault. The recently released Enterprise 
Edition 7.4 can manage all your troublesome back- 
up needs, even in a heterogeneous platform envi- 
ronment (that is, you're stuck backing up your NT 
servers as well as your Linux and Solaris boxes). The 


latest release adds support for backing up VMware 
ESX server environments, allowing guest systems to 
access tape drives installed on the host. Pricing 
begins at $1,195 US for Intel-based systems. 
www.bakbone.com 
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Please send information about releases of Linux-related products to newproducts@ssc.com 


or New Products c/o Linux Journal, 1752 NW Market Street, #200, Seattle, WA 98107. 
Submissions are edited for length and content. 


Data center heading 
for a meltdown? 


Time to try DC powered servers 
from Rackable Systems 


Our award-winning servers and storage products are designed 
to reduce power consumption and increase efficiency in any 
data center. Customers deploying Rackable Systems servers 
with DC power and the AMD Opteron™ Processor HE reduce 

heat output and lower power costs by as much as 67%. 

And with density levels as high as 88 dual-core servers per 
cabinet, Rackable Systems solutions can help transform your 
data center into a highly efficient, power-friendly environment. 
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408.240.8300 www.rackable.com 


To learn more about Rackable Systems’ broad range of server 
and storage offerings, visit www.rackable.com/savepower. 
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VMware Workstation 5.5 
for Linux Hosts 


Is VMware a compelling purchase in the face of free virtualization competition? mick BAUER 


Few virtual computer environments are as stable, 
popular and rich in features as VMware. I’ve been a fan 
and user of VMware Workstation since version 2.0. | use it 
for testing network applications, illicitly running Linux in 
Windows-only environments and, most recently, for testing 
the sample code in my book Linux Server Security, 2nd ed., 
across different Linux distributions. (I also wrote most of 
that edition using MS Word running on a virtual Windows 
XP machine!) [Do you really want to admit that?—Ed.] 
VMware has some serious competition nowadays in the 
Open Source community. Xen, FAUmachine and user-mode 
Linux are promising and 100%-free PC virtualization envi- 
ronments. Nevertheless, VMware Workstation 5.5 remains a 
compelling purchase in the face of all this competition. 
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Overview and Specifications 
VMware Workstation is a user-space application (aided by 
a couple of proprietary kernel modules) that creates virtual 
x86-based computers on top of your physical 32-bit or 
64-bit x86-based “host” computer. 

VMware Workstation 5.5 runs on the following host 
operating systems: 


® Mandrake Linux 10 and 9.0. 


@ Red Hat Enterprise Linux AS/ES/WS 4.0, 3.0 and 2.1, 
32- and 64-bit. 


@ Red Hat Linux 9.0, 8.0, 7.3 and 7.2. 


In VMware parlance, 
host refers to the sys- 
tem running VMware 
software. Guest 
systems are virtual 
machines running on 


the VMware host. 
For the remainder of 
this review, | use the 
terms guest system 
and virtual machine 
interchangeably. 


@ SUSE Linux 10.0 and 9.3, 32- and 64-bit. 
@ SUSE Linux 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 and 7.3. 
@ SUSE Linux Enterprise Server 9 SP3 (beta, experimental support). 


@ SUSE Linux Enterprise Server 9.0, 32-bit and 64-bit. 


@ SUSE Linux Enterprise Server 8. 

@ Novell Linux Desktop 9 SP2 (beta). 

@ Ubuntu Linux 5.10 and 5.04, 32-bit and 64-bit (experimental support). 
indows XP Professional and XP Home Edition. 

indows XP Professional x64 Edition. 


Ww 
Ww 
@ Windows 2000 Professional. 
Windows 2000 Server, Windows 2000 Advanced Server. 
Ww 


indows Server 2003. 


B® Windows Server 2003 x64 Edition. 


Practically any reasonably modern x-86-compatible or x-86-64-com- 
patible PC works as a host platform. VMware supports most Intel proces- 
sors since Pentium II, and AMD processors (Athlon or better), provided 
they run at least A(OOMHz (500Mt#z or faster is recommended). VMware 
also supports multiprocessor systems. VMware Workstation 5.5 lets you 
create virtual machines that use Two-Way Virtual Symmetric 
Multiprocessing, an experimental feature. 

If you need a virtual machine with more than two virtual proces- 
sors, this is supported in VMware ESX Server, but if you create one 
and copy it to a VMware Workstation 5.5 host, it won’t run unless 
you change its Number of CPUs setting to 2. You also can create 
virtual machines with the Two-Way Virtual Symmetric Multiprocessing 
feature on a uniprocessor host system, if it has either a dual-core 
CPU or hyperthreading enabled. However, according to the VMware 
Workstation User Manual, virtual machine performance will be 
subpar. And, while I’m still on the subject of CPUs, although you 
can't have more than two CPUs in a virtual (guest) machine, the 
underlying host can have as many as you like. 

Besides a fast CPU (or CPUs), you need plenty of RAM. This is a sim- 
ple enough equation. You need enough RAM for your host OS, for 
VMware itself and enough RAM for as many host OSes you intend to 
run concurrently. For example, my laptop has 1GB of RAM, of which 
SUSE 9.3 running KDE, a few Konsole shells, the usual assortment of 
panel applets and VMware itself use a total of about 200MB. That leaves 
me 800MB for virtual machines. | can comfortably (that is, without hit- 
ting swap too much) run three virtual machines that each has 256MB of 
RAM and so forth. 

Officially, VMware requires your host system to have a minimum of 
128MB of RAM (256MB is recommended), with no maximum per se, but 
only a total of 4GB can be used between all guest VMs. 

You also need enough hard disk space both for VMware itself and for 
as many virtual machines as you anticipate maintaining. Both IDE and SCSI 
disks are supported, both on the underlying host OS and on virtual hosts. 

As with RAM, the more disk space on your host system, the better. 
As a general rule of thumb, you need 172MB for VMware and at least 
2GB per virtual machine. By using VMware shared volumes (actually 
Samba shares), you can share data volumes between virtual machines. 


This allows you to use the minimum necessary disk space for virtual 
machines’ guest OS software and one big shared volume for application 
data. This is also a handy means of sharing data between virtual 
machines and the underlying host OS. 

VMware Workstation 5.5 supports a long list of operating systems 
for guest/virtual machines. These include: 


@ Most versions of MS Windows (fully supported), including Vista 
(experimental support). 


® Mandrake Linux, versions since 8.2. 

@ Red Hat Linux, versions since 7.0. 

@ SUSE Linux, versions since 7.3. 

@ Solaris x86 (experimental support), versions 9 and 10. 

In practice, non-officially supported x86 operating systems often 
work fine as guest OSes. For example, in researching my article “Security 
Features in Debian GNU/Linux 3.1” (see page 36), | successfully installed 
Debian 3.1 on a virtual machine, despite the fact that it’s not officially 


supported (the X Window System didn’t work, but everything else | tried 
did, including networking). 


Installing VMware Workstation 
Installing VMware Workstation on a supported Linux system is a breeze. 
You install the RPM version either by executing a single command or by 
unpacking the .tgz version and manually running the installer script 
vmware-install.p! (which is executed automatically if you install the RPM). 
Then, you run the configuration script vmware-config.pl. That's it! The 
installer scripts and the configuration script do all the work for you. 

For example, to install the RPM version of VMware, | executed 
the commands: 


rpm -Uvh ./VMware-workstation-5.5.1-19175.1386.rpm 
and: 
vmware-config.pl 


The configuration script asks you a number of questions, regarding 
things like how to set up networking. For most users, the default values are 
fine; otherwise, the Workstation 5 User Manual provides clear and compre- 
hensive descriptions of the various options presented by the installer script. 

Speaking of which, the user manual is, in my opinion, a model of 
effective technical writing—everything you need to know about VMware 
is included, explained in plain English and organized in a logical manner. 
It's accessible from within VMware's Help menu in HTML format, and it 
also can be downloaded as one big (490-page) PDF file from 
vmware.com. 


Creating Guest Systems 
Once VMware Workstation is installed and configured, you can run the 
vmware executable in the X Window System to start creating and using 
virtual machines. Figure 1 shows the New Virtual Machine Wizard. 

To create a Typical virtual machine with this wizard (as opposed to a 
Custom virtual system), you need to make only four decisions: 


1. In which OS will the guest machine run? 


2. Where on your host machine's filesystem will the virtual machine's 
files go? 
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Select a Guest Operating System 


Which operating system will De Installed on this virtual machine? 


Guest Operating System 


1. Microsoft Windows 
. Linux 

3. Novell NetWare 

4. Sun Solaris 


. Other 


Version: 
Other Linux 


XM Cancel @ Back > Next 


Figure 1. New Virtual Machine Wizard 


3. Which flavor of VMware networking will the guest machine use? 
4. What type and size of virtual disk to use? 


Because this article is a review and not a how-to, | forego explaining 
all the different options available at this point. A few words about virtual 
machine hard disks and networking options, however, might help illus- 
trate VMware's flexibility and power. 

A virtual machine's hard drive is usually a virtual disk—that is, a regu- 
lar file that essentially is mounted by VMware as a loopback filesystem. 
The beauty of this approach is that the virtual disk file doesn’t need to 
reflect its capacity; if you install only 300MB worth of system software, 
applications and files on your virtual machine, its disk file will be only 
300MB or so. The size you specify when setting up the virtual machine 
therefore will be its maximum size, not its actual size (unless you check 
the Allocate all disk space now option). 

If you run the New Virtual Machine Wizard in Custom rather than 
Typical mode, you additionally can choose whether to create a virtual 
SCSI disk (the default) or a virtual IDE disk. You also can choose whether 
to use a virtual disk at all. If you prefer, and if your intended guest OS is 
supported in this mode, you alternatively can designate a physical disk 
partition on your host system as the virtual machine's root. This is handy 
if you have a dual-boot system on which you'd like to run both (or more) 
local OSes simultaneously, but support for this feature is limited and 
comes with some caveats. Tread lightly with this feature, and be sure to 
read the user manual carefully before you attempt to use it. 

You can network your virtual machines using one of three methods. 
In bridged networking, the default, your virtual machine is given a virtual 
Ethernet interface connected to the same LAN as your host machine's 
physical network card (or wireless card—in VMware 5 you can now 
bridge WLAN interfaces on Linux hosts). In other words, your virtual 
machine appears on your local LAN as though it were sitting side by side 
with your host machine. 

With Network Address Translation (NAT), your host system acts like a 
NAT firewall. Your virtual machine is given a fake IP address, and when it 


58 | may 2006 www.linuxjournal.com 


connects to other resources on your LAN or beyond, VMware translates 
the source IP address on all its packets to that of the host system's physi- 
cal network interface. In other words, your virtual machine is hidden 
from the rest of your LAN by your host system. This is handled strictly 
by VMware; you don't need to configure iptables on your host OS 
to achieve this. 

The third option is host-only networking. This is similar to the NAT 
mode in that your virtual machine is assigned a fake IP address on a vir- 
tual LAN separated from your physical/actual LAN by your VMware host 
system. The difference is that none of the virtual machines on your host- 
only (virtual) LAN will be able to interact with the real LAN unless you 
explicitly configure the underlying host OS to forward and route those 
packets. In other words, with host-only networking, you wil! need to 
configure your host OS to route or bridge your virtual machines’ packets. 
This mode, therefore, is most useful when you don’t want to connect 
your virtual and physical LANs—for example, if you're testing potentially 
dangerous network applications on your virtual LAN. 


Other Virtual Devices 

Besides virtual CPU, RAM, hard disks and network interfaces, virtual 
machines also can have virtual floppy disks, CD-ROM/DVD-ROM drives 
(data only, not movies), USB controllers, SCSI controllers, parallel ports, 
serial ports, sound cards and mice. Both floppy and CD/DVD drives can 
use either your host system's actual hardware, or disk-image or ISO files, 
respectively. In all cases, VMware mounts the real or virtual media for 
you; you don’t need to run the mount command separately. 

VMware's SCSI and USB support is similarly transparent. By default, if 
you plug in a SCSI or USB device to your host system while a virtual 
machine is running in the foreground (has focus), the virtual machine 
responds as though you plugged the device in to it. Whether this will 
actually work in a given situation depends both on VMware—the virtual 
USB controller supports only USB 1.1—and on the capabilities of the 
guest system. (Does it support USB? Have you installed the correct 
drivers for your device onto your virtual machine?) 


Running Host Systems 

Once you've created a virtual machine and installed its operating system, 
actually using the virtual machine is very, very similar to the real thing. 
Figure 2 shows the Debian 3.1 installer running on a virtual machine. 

You can even, if you like, run the virtual machine in full-screen mode 
rather than within the VMware window. Installing the VMware Tools 
package on the guest system adds additional features, such as enhanced 
virtual-display-adapter support for your guest system and the ability to 
move your mouse pointer in and out of the VM window without having 
to click in and escape out. 

A number of VMware features make the virtual machine experience 
better than using a real machine, especially for research/test scenarios. 
One is the ability to take snapshots of virtual machines. A snapshot cap- 
tures a virtual machine’s memory state, disk state and virtual machine 
settings at a given point, allowing you to roll back to that point later— 
for example, after losing control of a virus you were examining on 
the guest system. 

Another feature is the ability to create teams of virtual machines. A 
team is a group of virtual machines with shared networking and startup 
characteristics. This lets you create, for example, a farm of database 
servers all connected to the same virtual LANs that all can be started 
simultaneously with a single-mouse click or command (VMware now has 
a command-line utility, vmrun, for operating virtual machines and teams). 

As you'd probably expect, given that a virtual machine is nothing 
more than files in a directory, VMware also makes it easy to clone virtual 
machines. A full clone is simply a copy of the parent VM, identical to it 
except for having a new MAC address and UUID. A full clone, therefore, 
is highly portable, and it easily can be copied to other host systems. 
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Figure 2. A Virtual Debian Machine 


Another option is to create a linked clone, which actually is made 
from a snapshot of the parent. Changes to the parent don’t affect the 
clone, and vice versa, but the clone must have access to the parent's files 
at all times. 


Conclusions 

So, what are the downsides to VMware? Honestly, I've been a very happy 
user of this product over the years. | have no laundry list of gripes or bugs 
to share with you, other than one hardware-specific problem with 
VMware 4.0 on a ThinkPad T42 running Windows XP (which | solved by 
switching to the Linux version). VMware Workstation 5.5 is a stable, well- 
documented and easy-to-use product with a rich set of features that is 
particularly useful to information systems professionals and researchers. 

None of that comes for free, of course. The downloadable version of 
VMware Workstation 5.5 for Linux costs $189 US, and the boxed version 
is $199 US. | think you'd be hard pressed though to assemble a very 
good physical computer for that little money, let alone an entire LAN’s 
worth. If in doubt, you can download the full version for a 30-day evalu- 
ation (after which you must purchase and install a license to continue 
using VMware). 

Or, you can opt for VMware Server, which is now completely free. 
Formerly known as VMware GSX Server, the current version of VMware 
Server was still in beta at the time of this writing, but it will remain a free 
product even when it reaches production status. Presumably, VMware 
Server lacks many of VMware Workstation’s developer/researcher-oriented 
features—the server versions of VMware are targeted more for produc- 
tion server applications. Compare and decide for yourself. More informa- 
tion about all VMware products is available at www.vmware.com.& 


Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. 
He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure 
Servers With Linux), an occasional presenter at information security conferences and composer of the 
“Network Engineering Polka”. 
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RUNNING SOUND APPLICATIONS 
UNDER WINE 


You still need Wine to get a buzz 
(and other audio applications) on. 
DA PHILLIPS 


Open any of the popular music trade magazines such as Keyboard 
or Sound On Sound, and you can’t miss the plethora of colorful advertise- 
ments for sound and music software, all of it for Windows and Mac. Much 
of this software is of truly outstanding quality; some of it has set industry 
standards for features and performance, and not a bit of it is available for 
any platform other than Windows and Mac. 

The open-source audio development community has made great 
strides toward providing musicians with a freely available alternative to 
the Win/Mac hegemony, and they deserve great praise. Nevertheless, 
it also must be admitted that our community is still relatively small. 
Potential converts to Linux often ask whether they can run their famil- 
iar programs successfully under Linux, and that criterion alone can 
determine whether they make the change to Linux. For all of Linux’s 
vaunted technical superiority, it's a no-show if you need an application 
that simply doesn’t exist for it. 

This article describes how to set up and use the Wine Windows emula- 
tion environment for sound and music applications. | test a few programs, 
and | indicate the quality of performance you can reasonably expect from 
running Windows music and sound software under Wine. 
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Some Details 

System emulators come in two basic flavors, machine architecture emula- 
tors and operating system emulators. Wine is a complete package that 
emulates the Windows operating system. Windows itself is not required. 
Wine includes its own versions of the Windows system DLLs, but you can 
use the native Windows versions if you prefer. Depending on the intended 
use, the system may require other native support software expected by 
your applications. 

Wine's sound capabilities have developed largely in response to users 
who want to play their favorite games without leaving their favorite oper- 
ating system. As a result, Wine has become a good candidate for running 
Windows audio and MIDI applications. However, before installing the emu- 
lator, you should check its documentation for the most current sound sys- 
tem status reports. If you intend to run a particular sound or MIDI applica- 
tion under emulation, your success will depend on a variety of factors, 
including support for the original file formats, audio sampling rates and 
required drivers. 

The tests in this article were performed on an 800MHz machine with an 
M-Audio Delta 66 digital audio I/O system and an SBLive Value sound card. 
The software base included ALSA 1.0.4, JACK 0.99 and a rock-solid 2.4.26 
Linux kernel patched for low latency. As always, your mileage may vary. 


Wine 
Wine is an acronym for either WiNdows Emulator or Wine Is Not an Emulator. 
Curiously, both interpretations are correct. Wine is the wine executable, a 


Linux program that runs Windows programs, and it is equally libwine, a library 
designed to assist Windows/Linux cross-platform development. 

After 12 years at the alpha-release level, Wine is now officially a beta- 
stage project. Hopefully, this event signals a more consistently stable envi- 
ronment, but some programs still may behave erratically. The Wine docu- 
mentation gives detailed instructions for submitting useful bug reports, so if 
you find that your favorite Windows program doesn’t work well (or at all) 
under Wine, you can help yourself and the project by submitting a report. 

Wine’s support for basic sound and MIDI is good, and support for 
audio extensions such as Microsoft's DirectX is improving, but you won't be 
able to use Wine to run large, integrated multimedia applications, such as 
Cubase or SONAR. However, Wine can run a variety of sound and music 
programs, even some fairly big packages. Check the Wine Web site (see 
the on-line Resources) for links to lists that rate the compatibility of various 
Windows applications. 


Getting It, Building It 
The WineHQ Web site provides Wine in a variety of package formats, 
including the common RPM and DEB formats and full source tarball. Use 
your package manager of choice to install the latest version. If you decide 
to build Wine from the source package, simply open an xterm, enter your 
new wine-x.x.x directory and run ./tools/wineinstall (as a normal user). 
Answer the prompts, then relax and let the Wine installer do its stuff. 

After installation, run the notepad.exe file included with the distribution: 


wine $HOME/c/windows/notepad.exe 


If the familiar editor appears, Wine is ready for use. Now you can try to 
run some Windows music and sound applications. 

System requirements and build procedures may change from version to 
version, so if you decide to build Wine yourself, be sure to read the 
README and follow the recommended installation instructions included 
with the package. The version used in this article is Wine 0.9.6, released 
on January 20, 2006. 


Audio and MIDI Support in Wine 
Linux-based musicians have two good reasons to take an interest in Wine’s 
sound support. The first reason is applications. Some Windows sound pro- 
grams have no equivalent in native Linux versions, and the possibility of 
running those programs under Wine is very attractive. The second reason 
involves libwine. That library is a key component in projects that provide 
support for running Windows VST/VSTi audio synthesis/processing plugins 
under Linux. In this article, | focus only on running applications under 
Wine, but readers interested in learning more about the Linux + VST 
connection should check out the Web page (see Resources) for details 
regarding the FST (FreeST) Project. 

At the user level, the heart of Wine’s audio support can be found in 
the ~/.wine/config file. Here’s the relevant section of that file as it appears 
in my Wine configuration: 


[WinMM] 
; Uncomment the “Drivers” line matching your sound setting. 


“Drivers” = “winealsa.drv” ; for ALSA users 

;"Drivers” = “wineoss.drv” ; default for most common configurations 
;"Drivers” = “winearts.drv” ; for KDE 

;"Drivers” = “winejack.drv” ; for the JACK sound server 

;’Drivers” = “winenas.drv” ; for the NAS sound system 

;’Drivers” = “wineaudioio.drv” ; for Solaris machines 

;"Drivers” = “” ; disables sound 

“WaveMapper” = “msacm.drv” ; do not change ! 

“MidiMapper” = “midimap.drv” ; do not change ! 


The WaveMapper and MidiMapper are required; they emulate the 
native Windows MCI (Media Control Interface) drivers that provide the 
standard commands for controlling multimedia devices and playing and 
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Figure 2. Band-in-a-Box 


recording multimedia data files. 

Wine provides audio interface drivers for OSS/Free (the default), ALSA, 
aRts, JACK and NAS (a network audio system). You can select a new driver 
at any time, but you will need to restart Wine. Your choice of sound driver 
may be determined by the application. In my experiences, some programs 
worked only with the OSS/Free driver, others worked only with ALSA, and 
some worked well with either one. | was especially excited to see a JACK 
driver listed, but as far as | could tell, the JACK driver is broken in this 
release—a reminder that Wine is still beta-stage software. 


Running Sound Apps under Wine 

Due to space considerations, it is not possible to describe the installation 
and configuration details fully for the programs I’ve reviewed here. | want- 
ed to test Wine's audio performance without going to heroic measures, 
employing only its default settings as far as possible and doing little more 
than selecting an appropriate sound driver as described above. | provide a 
brief description of each tested program, and then | relate my experience 
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with running the program under Wine. Note that these tests were made 
mainly with the demos and examples packaged with the programs, and 
my conclusions are necessarily provisional and incomplete. 


AudioMulch 

Ross Bencina’s AudioMulch is a sound synthesis and music composition 
environment with a unique interface and a strong emphasis on real-time 
performance capabilities. 

AudioMulch divides itself into three main panels (Figure 1). The left- 
most panel is a graphic instrument design and connections center—a can- 
vas upon which you place and connect AudioMulch’s various synthesis and 
processing modules. Next to this panel, we see the controls for the param- 
eters of your selected modules. Underneath it all are the automation con- 
trols—a stack of breakpoint displays that control module parameter 
changes in real time. 

Everything in AudioMulch is designed for real-time updates. | verified 
this assertion by loading an example file and randomly altering its controls 
and breakpoint displays at random. AudioMulch easily kept up with my 
changes, and Wine’s audio never broke or stuttered. Very impressive! 

| tested AudioMulch version 1.0rc2. It installed easily and was ready for 
immediate use. | loaded and ran every example included with the package, 
and each one performed perfectly with Wine’s OSS/Free and ALSA drivers. 
Potential users should note that AudioMulch is shareware, not freeware, 
and the registration fee is $50 US. If you want to test-drive the release 
candidate, be aware that it will expire on the date indicated at the 
AudioMulch Web site. 


Band-in-a-Box 

Band-in-a-Box is an automatic accompaniment generator. The program 
creates a virtual backing band that interprets a series of user-defined chord 
changes according to a selected “style”. A Band-in-a-Box style is a set of 
rules governing quantifiable aspects of a particular music performance 
style, such as country swing, rhumba, waltz time, blues shuffle and so 
forth. When the user clicks the Play control, the program processes the 
chord changes by the style rules, generates a real-time performance stream 
and plays it with your preferred MIDI synthesizer. Voila, you have your 
dream rehearsal band. 

Band-in-a-Box is the reigning king of the auto-accompaniment soft- 
ware domain. Need to play those changes more slowly? No problem, 
Band-in-a-Box is a MIDI-based program, so you can adjust the tempo to 
whatever speed is most comfortable. Want those chords played in a differ- 
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Figure 3. The Wine Buzz 
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ent meter or rhythm? Still no problem, Band-in-a-Box supplies hundreds of 
styles to choose from, and if you don’t like what's included with the base 
package, you can design your own or access literally thousands of styles 
and arrangements created and freely distributed by the program's vast 
base of users and style developers. Don’t like the instrumentation for a 
particular style? Change it on the fly, add or subtract players from the 
band, or mute parts at will. 

| downloaded the most recent Band-in-a-Box demo from the program's 
Web site and installed it with wine bbw2004demo.exe at an xterm prompt. 
| entered my new ~/c/bbdemo directory and ran wine bbwdemo to start 
Band-in-a-Box. | loaded an example style from the File/BB Song dialog, 
pressed the Play control and watched as the program apparently played the 
loaded style. Alas, there was no sound. | reconfigured the default MIDI out- 
put to go to the Emu10k1 synthesizer on my SBLive Value sound card, 
pressed Play, and behold, | had sound. | tested other built-in styles, all per- 
fectly happy to perform as though they were playing under Windows itself. 

| discovered only one potentially serious difficulty with the demo ver- 
sion. | configured the MIDI input device to the hardware port on the 
SBLive, but Band-in-a-Box would not record what | played on my MIDI key- 
board. The program’s virtual keyboard display worked perfectly, but | prefer 
to record directly from the hardware interface, so perhaps it’s time to fire 
up the Wine debugging tools. 

Band-in-a-Box is strictly commercial software, with a list price of $88 
US for the Pro Edition. The demo is, of course, free. 

Band-in-a-Box has the honor of a place in the Wine AppDB Gold 10, a 
selection of Windows applications that has demonstrated consistently excel- 
lent performance under Wine. By the measure of my simple tests, | must 
concur with that rating. Band-in-a-Box is an excellent music application that 
runs beautifully under emulation. Consider it double-plus recommended. 


Buzz 
Buzz combines tracker-style pattern and sequence editors with a powerful audio 
synthesis/processing environment to form an all-in-one package for sound 
design and music composition. No other music software is quite like Buzz. 

| had tried installing Buzz unsuccessfully by following the normal 
instructions for Windows users, but reading over the comments on the 
Wine AppDB, | discovered that | needed an installation package different 
from the one available on the official Buzz Web site. Here’s what | did to 
install and run Buzz successfully under Wine: 


@ Downloaded the package found at buzzdistro.cjb.net. 
@ Ran wine buzz_base.exe to install the program. 

® Changed directory to ~/c/Program Files/Buzz. 

@ Ran wine buzz. (Honest!) 


And indeed, as shown in Figure 3, Buzz runs under Linux. 
Buzz synthesis and processing modules are known as machines in Buzz- 
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Figure 4. Buzz Tracker Interface 


speak. The default package includes dozens of immediately useful machines, 
and hundreds more are available from the Buzz community. Like many other 
synthesis applications, Buzz uses a “patching” metaphor to roll your own 
audio processing network—that is, you link machines together with virtual 
patching cables to create a data-flow diagram representing your network. 

Figure 3 displays some opened machines. Whenever you want to 
manipulate a machine's parameters, simply double-click on the machine 
box, and its control panel appears. You can control all parameters in real 
time with the mouse or with MIDI controllers. 

Buzz’s composition interface closely resembles a typical tracker interface 
(Figure 4). A scrolling display represents beats within a selected pattern 
length. Audio events (typically sampled sounds) are entered on the desired 
beat lines anywhere within the pattern. Completed patterns are then 
linked together to form a song sequence. 

By the way, the package available from the link above is not the only 
Buzz-for-Linux package available. If that one doesn’t work for you, try the 
bundle available from Flavor8 (see Resources). Peruse the hints and tips while 
you're there, and be sure to check out the demos made with Buzz on Linux. 

Buzz is much too rich an application to treat in any depth here, so | sim- 
ply recommend playing and studying some of the demo files included with 
the distribution. The package includes extensive documentation, and a very 
active community of users can be reached through the main Buzz site. Buzz 
is freeware, and though it’s a shame that no native Linux version of Buzz 
exists (or ever will—the source code has been lost), in lieu of a native ver- 
sion, you can still enjoy a pleasant Buzz with Wine. Sorry, | just had to say it. 


Some Conclusions 

In the course of writing this article, | also tried to run many sound and 
music programs that failed in various ways. Native Instruments’ very cool 
FM7 loaded and appeared to work (it received MIDI input from my key- 


board), but no sound came from it. NI's Tracktion installed and ran, but its 
audio output was terribly distorted. The latest Finale demo wouldn't install 
at all, and the Reaktor 5 demo installed but crashed when started. Of 
course, all these programs run perfectly well in their native Windows 
environment, which is simply to say that Wine is still in development. 

| also solicited the Linux Audio Users mail list regarding opinions of and 
experiences with the use of Wine with Windows audio applications. As 
might be expected, input varied. Reports included whole or partial success 
with applications such as Native Instruments’ Battery and Kontakt, the 
Renoise tracker and the demo for Guitar Pro 3. | plan to put up a Web 
page that will list Windows audio/MIDI applications that have been tested 
with Wine, so if you have any notable successes or failures to report, 
please contact me at diphilp@linux-sound.org. 

Hopefully, Wine’s JACK driver will work again in a stable version of 
Wine by the time this article is printed. JACK is the present and future of 
Linux audio, and it would be a definite Good Thing for the Wine Project. A 
virtual ASIO driver might be a helpful addition too. 

Ideally, native Linux applications would replace their Windows counter- 
parts, but until that happy time, Wine may prove to be a viable alternative 
to dual-booting or setting up secondary machines. It may lend a new lease 
on life to your software investment, and hopefully, it will work well enough 
to let you run those needed music and sound applications that still have no 
Linux equivalents. 


Resources for this article: www.linuxjournal.com/article/8886. 


Dave Phillips is a musician, teacher and writer living in Findlay, Ohio. He has been an active member of the 
Linux audio community since his first contact with Linux in 1995. He is the author of The Book of Linux Music 
& Sound, as well as numerous articles in Linux Journal. He can be reached at dlphilp@linux-sound.org. 
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User-mode Linux lets you do tricks like run a safely isolated Debian 3.1 on Fedora 4. 


From the earliest behemoth computers with 
their hard-wired programs to modern-day disposable calculators and desk- 
top PCs, all our computers run some kind of program. John von Neumann 
cooked up the concept of storing a computer's program just like any other 
piece of data, making way for computers to become multipurpose tools no 
longer locked in to one hard-wired function. Soon the concept of an oper- 
ating system, or a program to abstract common system-level details like 
device management and program execution, was born. It didn’t take long 
for some crafty system programmers to realize that a single CPU could be 
made to perform multiple tasks seemingly at the same time. This gave rise 
to the first time-sharing and multitasking/multiuser operating systems. All 
modern computers still operate on this same stored program concept. In 
the case of a modern personal computer, after switching it on, it runs the 
stored program in the BIOS, or firmware, which eventually hands off to a 
multistage bootloader, which in turn loads the OS kernel. The kernel exe- 
cutes and sets up an operating environment in which system resources like 
CPU time, memory and devices can be used by programs executed 
beneath the kernel. It’s all a long chain of stored programs. 

The kernel is a program just like any other (albeit a rather complex one). 
So, what stops you from executing the kernel just like any other program? 
Actually, not much at all. This is what user-mode Linux (UML) is all about. 

The Linux kernel normally runs with special privileges, because it 
needs direct access to your hardware. User-mode Linux provides a way to 
compile the normal Linux kernel sources so that it can be invoked as a 
regular binary program on top of the base Linux kernel. When you run a 
kernel on top of the base Linux kernel, you are really running one or 
more “guest” Linux systems without any special privileges. (There are 
some exceptions. Some software must be installed as root for user-mode 
Linux to work.) These guest Linux systems are complete systems that run 
in a (mostly) safe environment. 


+ 
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In the remainder of this article, | provide a recipe for getting a UML system 
up and running on your host Linux box. Then, we explore some features 
and have some fun. The host system | am using for this demonstration is 
Fedora Core 4 on an Intel P4 with 1GB of memory, but almost any system 
and distribution will work, provided it is running a recent 2.6 kernel and 
has a minimum of 256MB of memory. 

A guest UML system is just like any other Linux system. It is a combina- 
tion of a Linux kernel and a collection of small programs, libraries and files 
that make up the operating system. These are provided in two parts, the 
kernel and a filesystem image. A filesystem image is a virtual disk partition. 
This is what will be mounted and used as the root filesystem of our UML 
system. You have the choice to create these two parts yourself or down- 
load them off the Net, ready made from popular distributions. In the inter- 
est of instant gratification, we take the ready-made route; take a look at 
the UML Wiki for more information on building your own filesystems 
(see the on-line Resources). 

Kernels and root filesystem images are available in a number of ver- 
sions and distributions. Images of Red Hat, Fedora Core, Debian and a 
number of special-purpose distributions are available. | use Debian 3.1 
for this demonstration. 


User-mode Linux has one very special feature called a Copy-On-Write file 
or COW. Copy on write is a common computer science concept that 
defines a mechanism for a chunk of data to remain read-only yet allows 
modification by writing changed data blocks to an alternate location. The 
filesystem image you download always remains read-only. Changes made 
to the filesystem in our running UML system are written to the COW file. 
This allows us to boot up multiple UML systems from the same read-only 


root filesystem image, provided they all have separate COW files. Also, if 
our UML system becomes corrupted, we simply clear the COW file to start 
over. The COW files are what is called sparse files; even though they may 
appear to be big when viewing the file size, only non-null data is actually 
allocated space on the disk. 


Collecting the Pieces 


Let's start by collecting the components in a freshly created empty directory. 


Make sure sufficient disk space is available; after all, we need to house 
an entire Debian installation. Three gigabytes should be sufficient for 
the basic system. Download the Debian-3.1-x86-root_fs.bz2 file from 
uml.nagafix.co.uk. Then, grab the 2.6.14.3-bs3 UML kernel from 
www.user-mode-linux.org/~blaisorblade/binaries. Finally, grab the 
UML utilities sources from user-mode-linux.sourceforge.net/dl-sf.html. 
If any of these files are missing, you can find alternate download locations 
in the Resources for this article. 

Below is a script of the commands for collecting all the parts and 


Listing 1. 
Debian 3.1 UML Guest Boot Demonstration 


Debian GNU/Linux testing/unstable (none) tty0 


(none) login: root <ENTER> 
Linux (none) 2.6.14.3-bs3 #7 Fri Dec 16 17:47:00 CET 2005 i686 GNU/Linux 


The programs included with the Debian GNU/Linux system are free software; 
the exact distribution terms for each program are described in the 
individual files in /usr/share/doc/*/copyright. 


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent 
permitted by applicable law. 


(none) :~# ps -ef <ENTER> 
UID PID PPID 
root 


CMD 

init [2] 
[ksoftirqd/0] 
watchdog/0] 
[events/0] 
[khelper] 
kthread] 
kblockd/0] 
pdflush] 
pdflush] 
aio/0] 
[kswapd0] 
kjournald] 
/sbin/syslogd 
/sbin/klogd 
/usr/sbin/exim4 -bd -q30m 
/usr/sbin/inetd 
/usr/sbin/atd 
/usr/sbin/cron 
/bin/login — 
-bash 

ps -ef 


root 
root 
root 
root 
root 
root 
root 
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root 
(none) :~# df -h <ENTER> 

Filesystem Size Used Avail Use% Mounted on 
/dev/ubda 1008M 264M 694M 28% / 

tmpfs 768M © 768M 0% /tmp 

tmpfs 14M 0 14M 0% /dev/shm 
(none) :~# halt <ENTER> 


Broadcast message from root (tty®) (Sun Jan 15 22:57:17 2006) 


The system is going down for system halt NOW! 


compiling the UML utilities that are available only in source form. If you 
are not interested in setting up networking, you can omit the uml_utilities 
tarball and skip the compile. All the steps below can be performed as a 
normal user except the installation of the UML utilities, which requires 
an su to root: 


mkdir /tmp/UML-Demo 

cd /tmp/UML-Demo 

wget http://uml.nagafix.co.uk/Debian-3.1/ 
»Debian-3.1-x86-root_fs.bz2 

bunzip2 Debian-3.1-x86-root_fs.bz2 

wget http://www.user-mode-linux.org/~blaisorblade/binaries/ 
w2.6.14.3-bs3/uml-release-2.6.14.3-bs3.tar.bz2 
tar -xvjf uml-release-2.6.14.3-bs3.tar.bz2 

cp um32-2.6.14-release-mod/vmlinux-2.6.14.3-bs3 
wget http://mirror.usermodelinux.org/uml/ 
uml_utilities_20040406.tar.bz2 

tar -xvjf uml_utilities_20040406.tar.bz2 

cd tools 

make all 

su root 

make install DESTDIR=/ 

exit 

cd 


Now we have all the parts collected and are ready to rock ‘n’ roll. All 
Linux systems have a kernel command line. In most systems, this command 
line is invoked by the bootloader (GRUB, LILO and so on). In our case, we 
compose the command line ourselves to instruct the kernel to use the 
Debian root filesystem image and a COW file named Debian1.cow as its 
root (/) filesystem. Your current terminal becomes the console of the 
guest UML system: 


cd /tmp/UML-Demo 
./vmlinux-2.6.14.3-bs3 
>ubd0=Debian1.cow,Debian-3.1-x86-root_fs root=/dev/ubda 


After that command is executed, we see the familiar Linux kernel boot 
messages ending with a Debian system waiting for someone to log in. 
We can log in as root (there is no password) and poke around as shown 
in Listing 1. 

Pretty cool, eh? It's your very own Debian 3.1 sandbox to make or 
break as you like. You can ignore warnings about hwclock and ttyO, as 
these are normal for most UML systems because some hardware features 
are not supported by UML kernels. Feel free at this point to change the 
root password to anything you like. 

Next, let’s set up networking. You need two free static IP addresses, 
one for each side of a tunnel that will be created by the UML utilities we 
compiled earlier. | use 192.168.1.100 and 192.168.1.101 here. Use any- 
thing appropriate for your local network. To get started, boot up your 
Debian UML again, and use the following command: 


cd /tmp/UML-Demo 
./vmlinux-2.6.14.3-bs3 ubd0=Debianl.cow, Debian-3.1-x86-root_fs 
root=/dev/ubda eth0=tuntap,, ,192.168.1.100 


After our Debian guest system is booted, log in as root again and mod- 
ify the network configuration as follows. 
Edit the /etc/network/interfaces file to contain only the following lines: 


auto lo 

iface lo inet loopback 

auto ethd 

iface ethO inet static 
address 192.168.1.101 
netmask 255.255.255.0 
gateway 192.168.1.1 


Enter a hostname of your choice in the /etc/hostname file and, finally, 
copy your resolver settings from /etc/resolv.conf on the host system to the 
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guest Debian system. Halt the guest system and reboot. 

After the guest system is booted, you will be able to ping it from any- 
where on your network. | would suggest doing a couple things to your 
newly networked Debian system. First, install OpenSSH, and then update 
all installed packages to current versions. To do so, execute the following 


commands and answer the simple questions when asked: 


apt-get install openssh-server 
apt-get upgrade 


Listing 2. 
Destruction can be fun if you are just testing. 


Debian GNU/Linux testing/unstable (none) tty0 


(none) login: root 
Linux (none) 2.6.14.3-bs3 #7 Fri Dec 16 17:47:00 CET 2005 1686 GNU/Linux 


The programs included with the Debian GNU/Linux system are free software; 
the exact distribution terms for each program are described in the 
individual files in /usr/share/doc/*/copyright. 


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent 
permitted by applicable law. 


(none) :~# rm -rf / 
: cannot remove ~//proc/meminfo’: Operation not permitted 
: cannot remove ~//proc/uptime’: Operation not permitted 
. Many warnings about read-only filesystems omitted ...) 
: cannot remove ~//proc/loadavg’: Operation not permitted 

*//proc/self’ changed dev/ino: Operation not permitted 

(none) :~# df -k 

-bash: : command not found 

(none): ps -ef 

-bash: : command not found 

(none): halt 

-bash: /sbin/halt: No such file or directory 

(none) :~# 


Listing 3. 
A Very Ill Debian UML Guest 


(... boot messages omitted ...) 

EXT3-fs: INFO: recovery required on readonly filesystem. 
EXT3-fs: write access will be enabled during recovery. 
kjournald starting. Commit interval 5 seconds 

EXT3-fs: ubda: orphan cleanup on readonly fs 

EXT3-fs: ubda: 66 orphan inodes deleted 

EXT3-fs: recovery complete. 

EXT3-fs: mounted filesystem with ordered data mode. 

VFS: Mounted root (ext3 filesystem) readonly. 

Warning: unable to open an initial console. 


Kernel panic - not syncing: No init found. Try passing init= option to kernel. 
EIP: 0073: [<a@1c6691>] CPU: 9 Not tainted ESP: 007b:b7f3afac EFLAGS: 00000282 
Not tainted 

EAX: 00000000 EBX: 000012eb ECX: 00000013 EDX: 000012eb 

ESI: 000012e8 EDI: 00000000 EBP: b/7f3afb8 DS: 007b ES: 007b 


alQafb80: 
alQafbb0: 
alOafbcO: 
alOafbed: 
alQafc00: 
alOQafc20: 
alQafced: 
alOQafd20: 


[<aQ032d2a>] show_regs+0x21a/0x230 
[<a0016c8c>] panic_exit+Ox2c/0x50 
[<a004a275>] notifier_call_chain+0x25/0x40 
[<aQ037501>] panic+0x71/0x100 

[<a000e2cO>] init+0x100/0x170 

[<aQQ2bf59>] run_kernel_thread+0x39/0x50 
[<aQQ1c3d4>] new_thread_handler+0xc4/0x120 
[<b7#3b420>] Oxb7f3b420 
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The possibilities at this point are wide open. Any network service or 
application can be run under this guest Debian install. You can use UML 
to test applications across many kernel versions and Linux distributions all 
on one box. You can place the filesystem image and COW file on a USB 
thumbdrive, giving you a stable development environment across all the 
computers you use. User-mode Linux makes it easy and painless to test 
system changes that otherwise might make a system unbootable. 


Fun—As in Destruction! 

Okay, you know you've always wanted to do it. Now, here is your 
chance. Bring up a new standalone guest Debian UML system, and do an 
rm -rf /. lf you are like me, your fingers start to curl under as you even 
consider typing that command. To begin, boot up the new Debian guest 
using the following command (notice we are using a different COW 
file, because we do not want to disturb the nice networked setup 
we created previously): 


cd /tmp/UML-Demo 
./vmlinux-2.6.14.3-bs3 ubd0=DangerDanger .cow, Debian-3.1-x86-root_fs 
= root=/dev/ubda 


After our doomed friend boots up, let ‘em have it. Make sure you 
double- (perhaps even triple-) check that you are still typing in the guest 
Debian system (Listing 2)! 

It's hosed up pretty good at this point. In fact, you can’t even run 
halt, because the halt program itself is gone. From another command 
window, kill the system with: 


killall -9 vmlinux-2.6.14.3-bs3 


Then, see what happens when you try to boot it up again using the 
same command (Listing 3). 

That's gotta hurt. So, as a lesson, do not do that on a real system. 
But because this is a UML guest with a COW file, you simply can delete 
the DangerDanger.cow file, and this guest system will boot up back 
to its initial state. 


More on COW Files 

The utility uml_moo included in the UML utilities will read a filesystem 
image and an associated COW file and create a new merged filesystem 
image. This allows you to merge changes stored in the COW file into a 
new master filesystem image. This makes it easy to clone working guest 
filesystem images when you have them set up the way you want. 


Conclusion 

User-mode Linux is fun to play with, but it also has some real-world uses. 
You can use it to test unknown or untrusted applications while limiting 
possible damage to the running host system. You can create virtual 
networks of UMLs by starting up multiple guests at once. This allows 
you to create a test-lab-in-a-box environment with very little time and 
effort, so you can try all those “Stupid Linux Tricks” you were afraid 
to try on a real system! m 


Resources for this article: www.linuxjournal.com/article/8883. 


Matthew E. Hoskins is a Senior UNIX System Administrator for The New Jersey Institute of Technology where 
he maintains many of the corporate administrative systems. He enjoys trying to get wildly different systems 
and software working together, usually with a thin layer of Perl (locally known as “MattGlue”). When 
not hacking systems, he often can be found hacking in the kitchen. Matt is a member of the Society 
of Professional Journalists. He is eager to hear your feedback and can be reached at matt@njit.edu. 
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MPI LEink= Check e€histo the Rescue! 


Asingle slow node or intermittent link can cut the speed of MPI applications by half. Whether you use 
GigE, Myrinet, Quadrics, InfiniBand or InfiniPath HTX, there is only one choice for monitoring and 
debugging your cluster of SMP nodes: Microway's MPI Link-Checker”™. 


This unique diagnostic tool uses an end-to-end stress test to find problems with cables, processors, 
BIOS's, PCI buses, NIC's, switches, and even MP1 itself! It provides instant details on how latency and 
bandwidth vary with packet size. It also provides ancillary data on inter-process and intra-CPU latency, 
and includes FastCheck!, which runs in CLI mode and checks up to 100 nodes per second. 

A complimentary one year license for MPI Link-Checker™ is installed on every Opteron based 
Microway cluster purchased in 2006. 


Wondering what's wrong with your cluster’s performance, or need help designing your next one? 
Microway designs award-winning single and dual core AMD Opteron based clusters. Dual core enables 
users to increase computing capacity without increasing power requirements, thereby providing the best 
performance per watt. Configurations include 1U, 2U, and our 4U QuadPuter™ RuggedRack™—available 
with four or eight dual core Opterons, offering the perfect balance between performance and density. 


Microway has been an innovator in HPC since 1982. We have thousands of 
happy customers in HPC, Energy, Enterprise and Life Science markets. 


Isn't it time you became one? CLUSTER) 
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Microway® Quad Opteron™ Cluster with 
36 Opteron 880s, redundant power, ‘ 
45 hard drives and Myrinet™ in our 


CoolRak” cabinet. 23 Years of Expertise Built In 
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EMU 


a Multihost 
Multitarget 
Emulator 


QEMU comes to the rescue for those times when VMware is overkill. 


| suddenly found myself with an |-need-to-run-just- 


one-Windows-application problem. When | had 


started at my current job, | 


was determined finally to be Windows-free at work, just like | have been at 
home for several years. To that end, after | had unpacked my shiny new 


work computer, | erased Windows, installed my 


current favorite Linux dis- 


tribution, and set up Ximian Evolution to connect to the Microsoft 
Exchange server. | thought that | had finally arrived at Linux nirvana. 


It was not to be. 
Microsoft's Exchange mail server has this 
group of people, can access a shared mailbox. 


eature where a team, or 


My manager thought it 


would be a good idea to set up one for our team and have clients send 


e-mail to that address instead of to each of us 
inbox in place, | found myself needing to check 


individually. With the shared 


it several times a day. 


Evolution can connect to shared mailboxes, but not in the way | have 


to connect to mine. My department, being Lin 


ux-friendly and security- 


conscious, is not on the corporate network, so those who are on Windows- 


based systems in my department need to config 


ure their Outlook e-mail 


client to connect to the Exchange server over HTTP. Evolution seems to 


support connecting to shared mailboxes only wh 
network as the Exchange server, not via the HTT 
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en you are on the same 
P method. 


There was no way around it. | had to run Outlook. And not just 
any version. | had to run Outlook 2003, which is the version that can 
use the HTTP-connection method. The problem with Outlook 2003 
that older versions of Outlook do not have is that it is not compatible 
with Wine or CrossOver Office from CodeWeavers, which ruled out 
what | considered to be the obvious first-choice solution for running 
it on Linux. 

My options were therefore: 


1. Go back to using Windows. 
2. Find another way to run Outlook 2003. 


| did not want to go back to using Windows, not for only one applica- 
tion, so | started looking around for answers to the other option. My 
requirements were simple: it had to be able to run Outlook 2003, it had to 
be cheap, it had to be usable and it had to be reliable—no crashing. 
VMware is an obvious choice for this sort of thing, but as | was footing the 
bill myself, VMware was not an option. After a little bit of searching, | 
found an excellent VMware alternative: QEMU. 


What Is QEMU? 
According to its home page: “QEMU is a FAST! processor emulator using 
dynamic translation to achieve good emulation speed.” 

QEMU is a multihost, multitarget emulator. QEMU will run on x86, x86- 
64 and PowerPC systems, and it can emulate x86, x86-64, ARM, SPARC, 
PowerPC and MIPS architectures. For most of these, it can be run in two 
ways: full-system emulation and user-mode emulation. For details on which 
modes are supported for which architectures, check out the link in the on- 
line Resources. 

User-mode emulation allows you to run Linux binaries compiled for 
other architectures on your machine. This is great for application develop- 
ment and testing, but | was more interested in full-system emulation. 

Full-system emulation emulates a complete computer system from the 
BIOS on up to things like video and sound cards. For x86 system emula- 
tion, QEMU simulates a machine with the following peripherals: 


@ i440FX host PCI bridge and PIIX3 PCI to ISA bridge. 


M@ Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA 
extensions (hardware level, including all nonstandard modes). 


m@ PS/2 mouse and keyboard. 

@ Two PCI IDE interfaces with hard disk and CD-ROM support. 
@ Floppy disk. 

@ NE2000 PCI network adapters. 

@ Serial ports. 

@ SoundBlaster 16 card. 

@ PC BIOS from the Bochs Project. 

@ Plex86/Bochs LGPL VGA BIOS. 


From the above list, you probably can tell that QEMU is not in 
contention as the Ultimate Linux Box. However, each of the emulated 
devices is well supported by Linux and Windows, which leads to easy 
Virtual Machine (VM) installs and no driver hunting, which is a “Very 
Good Thing”. 

Being on an x86-based machine myself and not needing to run an OS 
that requires or even uses an x86-64, ARM, SPARC, PowerPC or MIPS pro- 
cessor, | can't vouch for QEMU's performance in that regard. | have tested 
some disk images of DebianPPC, Gentoo for SPARC and MenuetOS_64, 
which is written in x86-64 assembly language. They all booted and ran 
without trouble, but | was not able to compare their performance to real 
hardware. These, and many other QEMU-ready disk images, are available 
from the FreeOS Zoo (see Resources). 

My purpose in using QEMU was to run an x86-based OS—Microsoft's 
Windows XP—inside my x86-based OS of choice, which is currently 
Ubuntu Linux 5.10. The good thing about this particular setup is that 
QEMU can employ a virtualization layer, called the KQEMU accelerator, on 
top of its standard emulation engine that speeds things up to what the 
QEMU Web site claims are “near native speeds”. Near native or not, | can 
say this, with the KQEMU accelerator installed, things are definitely faster. 

The accelerator hands off as much processing as it can to the real 
processor and emulates only the necessary bits. This makes perfect 
sense. Why emulate x86 on x86? If there are good reasons to do so, 
| cannot think of any. 


Installing QEMU 

To install QEMU, download the source package from the main QEMU Web 
site (see Resources) and the binary kqemu package. There is also a binary 
QEMU package available. If you download and install the binary, you will 


About KQEMU 


Unlike QEMU, which is open source, KQEMU is a closed-source, pro- 
prietary product. The reason for this is money. QEMU developer 
Fabrice Bellard has stated that he would be willing to open-source 

KQEMU on one condition: if a corporate sponsor picked up the tab 

for its continued development. Until then, although you can down- 
load it without cost, KQEMU will remain a proprietary component in 
an otherwise open-source product. 


There is a project to create an open-source drop-in replacement to 
KQEMU called qvm86 (see Resources). | have not used it, but | have 
read statements that say it works as well as or better than KQEMU. 


not be able to use KQEMU, because it needs to be compiled into QEMU to 
work. KQEMU, unlike QEMU, is available only as a binary package. It is not 
open source. See the KQEMU sidebar for more information. At the time of 
this writing, QEMU is at version 0.8.0, and KQEMU is at version 0.7.2. 
Because they are under active development, there may be updated ver- 
sions available by the time you read this. 

Once | had downloaded the two packages, | first untarred QEMU with: 


tar -zxvf gqemu-0.8.0.tar.gz 


Next, | changed directories into the qemu-0.8.0 directory | had just cre- 
ated and did: 
tar -zxvf ../path/to/kqemu-0.7.2.tar.gz 
This created a kqemu directory inside of my qemu-0.8.0 directory. 

When | compile applications from source, a ./configure, make, make 
install at this point is usually all that | need to do to get a piece of soft- 
ware installed. QEMU needed a bit more hand holding. 

In order to have QEMU compile successfully on my machine, | had to 
make a few changes to the configure script. The changes themselves were 
quite simple. First, QEMU does not get along with 4.x versions of gcc, so | 
had to change the cc= and host_cc= lines to use gcc-3.4 specifically. Then, 
| had to change kqemu="no" to kqemu="yes". Finally, it was necessary to 
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Figure 1. Q@EMU Running the KNOPPIX Live CD 
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enter the path to my kernel source tree in kernel_path="". One note: 
QEMU uses SDL for output, so although | did not need to install anything 
extra for my particular setup, others may have to install some SDL libraries 
before the configure script will be happy. 

Once | was able to run ./configure without it complaining, | ran 
make and then make install to install QEMU to my /usr/local/ directory. 
To install the KQEMU accelerator kernel module, | typed the following into 
an open terminal: 


modprobe kqemu 


Using an Existing Image 

Once | had installed QEMU, | wanted to see it in action. The easiest way to 
try it out was to boot a live CD ISO image like KNOPPIX, Ubuntu, 
SimplyMepis, DSL, Puppy or one of the scores of others. To boot QEMU off 
a bootable CD image, | simply entered the following at the command line: 


qemu -boot d -cdrom path/to/distro.iso 


The -boot d parameter tells QEMU to boot from the CD drive, and 
-cdrom path/to/distro.iso tells QEMU where the CD-ROM “drive” is, which 
in this example, is simply an ISO image. | also could have pointed QEMU at 
my actual CD-ROM drive—/dev/cdrom—and when | installed Windows, 
that is what | did. 


Creating an Image and Installing an OS 
Before | could install an operating system, | first needed to prepare a virtual 
hard disk in which to install. QEMU understands various disk image for- 
mats, including VMware's vmdk, which would have come in handy if | had 
some of them lying around. As it turned out, the default, “raw” format 
worked well. A raw format disk image acts like an unformatted hard drive, 
which was perfect for my needs. 

| used the following command to create an image named winxp.img, 
5GB in size, which | figured was big enough to install Windows XP and 
Outlook and give me plenty of e-mail storage: 


qemu-img create winxp.img 5120M 


Looking back, a better size would have been 4GB, because that would 
have made it easier to create DVD backups. 
Now that | had a virtual hard drive, | put my Windows XP Pro 


j 
i 


Microsoft® a 


Windows 


Figure 2. Booting Windows for the First Time 
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installation CD into my CD-ROM drive and launched QEMU with the 
appropriate arguments: 


qemu -boot d -hda path/to/winxp.img -cdrom /dev/cdrom -m 256 -localtime 


The -m 256 option set the memory allocated to the VM to 
256MB—the default is 128MB, which is a bit small for Windows XP 
Pro. The -localtime option set the virtual BIOS clock to the local time 
on the host machine—the default is to set the BIOS clock to Universal 
Coordinated Time. 

| found that installing Windows onto a virtual machine was very similar 
to installing it on a “real” computer. The installer comes up and has you 
choose where to install Windows. It asks you if you want to format your 
hard drive, prompts you to enter in your license key and so on. Once the 
base install was done, | shut down the VM, replaced my Windows XP Pro 
installation CD with my Microsoft Outlook installation CD and launched 
QEMU like so: 


qemu -boot c -hda path/to/winxp.img -cdrom /dev/cdrom -m 256 -localtime 
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Figure 4. A Simple GNOME Launcher for QEMU 


The only difference was to boot from winxp.img instead of from 
/dev/cdrom. The Outlook installation went like a typical Outlook installa- 
tion—no real surprises there. When the Outlook installation was completed, 
| had a functioning Windows machine to call on whenever | needed it. 

Now that | had my base operating system and needed application 
installed, | shut down the machine and created a GNOME launcher, so | 
could fire up my virtual Windows machine without typing it into my termi- 
nal every time. As you can see from Figure 4, | basically removed the CD- 
ROM info from the command, because | don’t need a CD-ROM to be pre- 
sent during normal operation. Refer to the documentation for your distri- 
bution on how to create a custom application launcher. 


Squeezing More Performance out of QEMU 
There are a few ways to squeeze extra performance out of QEMU: 


1. More RAM: the first thing | did was add more RAM. | did not want 
QEMU to have any reason to access my swap partition. Swap partitions 
are very useful, but too slow for resource-intensive tasks such as emula- 
tion. With more RAM, you get not only better performance from your 
VM, you also can run multiple VMs at the same time (see Figure 5 for 
an example of this). 
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Figure 5. QEMU Running Three Virtual Machines Simultaneously 


2. KQEMU: the second thing | did to get better performance was to com- 
pile in the KQEMU accelerator module. 


3. Set up a RAM disk: even with extra memory, there are times when 
QEMU needs to cache things to disk. To speed up this process, | set up 
a RAM disk. A RAM disk is a virtual disk drive created from free RAM. 
To create it, | entered the following into my /etc/fstab and then reboot- 
ed my machine: 


tmpfs /dev/shm tmpfs defaults 0 0 


Getting Files in to and out of QEMU 

A dilemma | ran into after | started using QEMU was how to get files out 
of my QEMU VM for backup purposes. The first method | tried was to 
install an SSH secure copy (scp) client for Windows and then use it to 
transfer files to myself. This works, but it was not as simple as | wanted the 
process to be. 


The second method | tried worked much better. When starting QEMU, 
there is an option to specify a shared directory. QEMU makes it available to 
the VM through Samba, so you need to have Samba installed for this to 
work. The option is -smb dir—where dir is the directory on my host 
machine for which | want my Windows XP VM to have access. | then 
added the following line to C\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS 
on my Windows XP VM: 


10.0.2.4 smbserver 


Accessing my shared folder from within my VM was then as easy as 
navigating to \\smbserver\qemu. 


Conclusion 

QEMU may lack the graphical configuration and VM setup tools of com- 
mercial programs like VMware, but | have found it to be an excellent solu- 
tion to the I-need-to-run-just-one-Windows-application problem. Judging 
from the comments I’ve read on the QEMU forum and on the #qemu 
channel on the Freenode IRC network, QEMU is well suited to solving 
many other problems. Give it a try, | think you'll like it.a 


Resources for this article: www.linuxjournal.com/article/8884. 


Daniel Bartholomew has been using computers since the early 1980s when his parents brought home 
an Apple Ile (with an 80-column card!). After stints on Mac and Windows machines, he discovered Linux 
(Slackware) in 1996 and has been using various distributions ever since. He lives with his wife and 
children in North Carolina. 
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Xen is a hypervisor virtual machine that 
runs multiple open-source operating systems. 


IRFAN HABIB 


In the last half century, microcomputers have become 
increasingly powerful. Server systems have grown so power- 
ful, that many enterprise servers typically are underutilized. 
Modern computers are sufficiently powerful to use virtualiza- 
tion to present the illusion of running many virtual systems 
on a single machine. Each virtual system runs a separate 
operating system instance simultaneously. So, you can run 
multiple instances of Linux at the same time on the same 
machine, or you can run combinations of operating systems, 
such as Linux, FreeBSD, Windows and so on. This has led to 
a resurgence of interest in Virtual Machine (VM) technology, 
which has been around for decades on bigger iron. 

The Systems Research Group at the University of 
Cambridge Computer Laboratory originally developed Xen 
(open-source virtualization software) as part of the 
XenoServers Project, funded by the UK-EPSRC. 

XenoServers aims to provide a “public infrastructure 
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for global distributed computing”. Xen plays a key part in 
that project, allowing users to partition a single machine 
efficiently to enable multiple independent clients to run 
their operating systems and applications in an environ- 
ment. See www.cl.cam.ac.uk/xeno for more information 
on the XenoServers Project. 

Xen is an x86 virtual machine monitor that allows multi- 
ple commodity operating systems, such as Linux and MS 
Windows, to share conventional hardware in a safe and 
resource-managed fashion. It is designed with minimal per- 
formance overhead. As a result, the virtualized instances of 
operating systems have close to native performance. The Xen 
folks achieve this by providing a virtual machine abstraction 
to which operating systems, such as Linux and MS Windows, 
can be ported with minimal effort. Xen has, according to a 
number of benchmarks, considerably out-performed compet- 
ing commercial and freely available solutions. 
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Xen is such an effective 
means of lowering total 
cost of ownership 
hrough virtualization 
hat the original Xen 
development team 
aunched a consulting 
business based on the 
project. See XenSource 
(WWww.xensource.com), 
which is considered 
“home to the world- 
wide Xen open source 
community”. 
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Applications of Xen 

One of the major uses of Xen so far has been 
for consolidation of servers. An organization 
can shift server software hosted on multiple 
physically separate servers and locate them 
onto a single server, by using virtual machines 
for each individual server. For example, it is 
now possible for a company to host Sendmail 
on a FreeBSD installation while hosting the 
Apache Web server on Red Hat Enterprise 
Edition, both on the same physical server. 

This enables enterprises to reduce their 
total cost of ownership by using a few servers 
to do tasks that used to require many servers. 
Server consolidation also makes it easier to 
manage systems. 

Xen can enable the development of distributed 
Web services. This gives users the perception 
that services are hosted on separate systems, 
but they, in fact, are hosted on the same 
physical system. This leads to huge savings 
in IT budgets in deploying service-oriented 
applications and provides a platform for hosting 
other network-centric applications. 

Xen has been a boon in operating system 
research. Through Xen, it is now possible 
to implement new kernel-level algorithms 
and test them in a virtual environment with- 
out affecting the host OS. In Linux kernel 
development, employing user-mode Linux is 
popular; however, Xen has out-performed 
user-mode Linux in a number of benchmarks. 

Xen's virtualization capabilities have enabled 
organizations to keep their servers available 24/7. 
Organizations can launch a temporary virtual 
server to keep services available while patching 
and upgrading an OS on the virtual server they 
normally use to provide those services. 

Xen also enables organizations to run legacy 
applications on new hardware, protecting their 
past investments. 


Comparison to Other Approaches 
Now that we have a taste of the potential 
applications and advantages Xen offers, let’s 
briefly look how it compares to other 
approaches and explore some salient features 
of its internal workings. 

Hosting different operating systems on a 
single server is nothing new. Many desktop 
PCs nowadays are dual-boot systems, where 
at least two different operating systems are 
installed in a single machine, each running 
a set of software specific to each. 

When users require both operating systems 
to run at the same time, there are several 
options. They can get two computer systems 
and dedicate each system to each service. 
They can use an emulator such as Wine or 
Win4Lin to run services from MS Windows 
on Linux, or use CoLinux to run unmodified 
Linux services on MS Windows. 

However, these approaches have certain 
drawbacks. Getting two servers to host two 
services is inherently expensive and would 


lead to underutilization of resources. Wine, 
Win4Lin or other emulators often have perfor- 
mance, scalability and compatibility problems. 

So, the best solution in many cases is to run 
virtual machine software on a single machine 
and host both operating systems at once on 
the same machine. 

Proprietary virtualization systems exist, 
such as VMware Workstation [see page 
56 for Mick Bauer's review of VMware 
Workstation 5.5]. Software, such as VMware, 
implements what is called full virtualization. 
VMware virtualizes every aspect of the com- 
puter. VMware, therefore, introduces a good 
deal of overhead. The concurrent operating 
systems often run more slowly than usual. 
As hardware becomes cheaper and more 
powerful and software becomes more opti- 
mized, this lag in performance may not be 
noticeable in the future, but currently it 
poses a problem. 

VMware does have enterprise-level com- 
mercial products, such as ESX Server, which 
have better performance than the VMware 
Workstation product, and such a product 
may be able to run virtualized operating 
systems close to their native performance. 
However, benchmarks of this product are not 
available, and VMware Workstation consis- 
tently has under-performed Xen in various 
benchmark tests. 

VMware's approach does have one large 
advantage over Xen‘s approach. VMware is 
capable of virtualizing proprietary operating 
systems. As | discuss later in this article, you 
have to port an operating system's kernel to 
Xen for it to work with Xen. You cannot run 
an operating system on Xen otherwise. 


Hypervisor 

Xen is a virtual machine hypervisor. That is, it 
doesn’t run on any OS, it makes an OS run 
on it! Xen runs at the highest priority level 
the x86 architecture allows (called Ring 0). It 
makes the OS get the second-highest priority 
in x86 architecture (called Ring 1). 

Xen provides certain libraries to which the 
OS kernel has to be ported in order to work 
with Xen. Porting an OS to run on Xen is 
similar to porting the OS to a new hardware 
platform; however, the process is simplified 
because the paravirtual machine architecture 
is very similar to the underlying native hard- 
ware. Although the kernel has to be ported, 
Xen does not require any modification to 
user applications, which can run unaltered 
on a Xen system. 

So far, only open-source operating sys- 
tems have been ported to Xen. Unless 
Microsoft releases a Xen-enabled Windows 
version, we might not get the benefit of a 
completely virtualized MS Windows. So far, 
Linux ports are available, and FreeBSD, 
NetBSD and Solaris 10 ports are underway. 

The developers of Xen had to overcome 
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some major challenges to partition successfully a modern machine's 
resources amongst multiple guest operating systems. First, virtual 
machines had to be isolated from one another—that is, problems in one 
machine must not affect the working of other virtual machines. Second, 
it was necessary to support a variety of different operating systems to 
accommodate the heterogeneity of popular applications, such as enter- 
prises commonly using a mix of Linux and MS Windows installations to 
support their working. Third, the performance overhead introduced by 
virtualization should be small. Xen's approach addresses each one of 
these challenges successfully. See “Xen and the Art of Virtualization” 

at www.cl.cam.ac.uk/Research/SRG/netos/papers/2003-xensosp.pdf, 
which discusses Xen‘s approach in detail. 

We'll go through some salient features of Xen’s approach. 

As stated earlier, Xen is a hypervisor that uses paravirtualization, when 
an operating system is ported to Xen. Xen has access to some internal OS 
kernel information in order to manage the system. This porting also gives 
the guest OS kernel access to real as well as virtual information, which has 
specific advantages for time-critical tasks. Paravirtualization permits very 
high-performance virtualization, even on architectures like x86 that don't 
inherently support virtualization. 

Paravirtualization enables Xen to multiplex physical resources at 
the granularity of an entire operating system and is able to provide 
performance isolation between each VM. This also allows a range of 
guest operating systems to coexist, without having any effect on each 
other. Xen's paravirtualization approach allows users to run applica- 
tions in a resource-controlled fashion. Furthermore, it provides an 
extremely high level of flexibility, because users can create dynamically 
the precise execution environment their software requires. Unfortunate 
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configuration interactions between various services and applications 
are avoided. 


Try It Yourself 

As mentioned previously, Xen is primarily developed for the x86 archi- 
tecture; however, it does not support all x86-based processors—only 
those that are P6 or newer, including Pentium Pro to Pentium 4 and 
Intel Celeron and Intel Pentium Xeon processors. Apart from Intel, 
AMD processors from Athlon to AthlonXP and FX processors are 
supported, as well as the AMD Duron. 

Interested readers may want to try out Xen for themselves, without 
installing the entire system. The Xen Project provides a live CD demonstra- 
tion of Xen, which comes with both Debian and CentOS. The live CD version 
can be a powerful tool for demonstrating the features of Xen. It is possible 
to boot in to any of the provided distributions and start new instances of 
either distribution, as many times as the system memory allows. 

It is also possible, in the live CD version, to monitor the resource usage of 
all virtual machines in real time and start applications in each virtual machine. 


Installing Xen 
For power users who want to get down to installing Xen, the following is 
a brief guide. Installing Xen is a three-way process. You install Xen and its 
user-level tools, then configure your bootloader and, finally, define the VM 
configuration files for each guest OS. 

Installing from binary tarballs or an RPM package is the easiest way to 
install Xen. For binary tarballs, simply do this: 


bash# tar zxvf xen-3.0-install.tgz 
bash# cd xen-3.0-install 
bash# sh ./install.sh 


For an RPM package, do this: 
bash# rpm -iv xen-3.0-i1686.rpm 


(or whatever the name of the RPM is). 

Installing Xen from source is more complicated, as it involves patching 
and recompiling the Linux kernel. Installing from source is not covered 
in this article, but is described thoroughly in the Xen User Manual 
(www.cl.cam.ac.uk/Research/SRG/netos/xen/documentation.html). 


Configuring the Bootloader 
After Xen has been installed, we need to configure the bootloader. For 
GRUB users, edit the menu.lst file, and add this entry: 


title Xen 
kernel /boot/xen-3.0.gz dom0_mem=32768 module 
>/boot/vmlinuz-2.6-xen® root=/dev/hda7 ro console=tty0 


vmlinuz-2.6-xen0 is the kernel image that would have been installed by 
the tarball binaries or RPM; if you install from source, replace the name of 
the image here. 

Also be sure to replace the name of the root filesystem to suit your sys- 
tem (in this example, it is root=/dev/hda7). 

For LILO users, do the following: 


image=”"/boot/xen-3.0.gz” 
label="Xen” 
root="/dev/hda7” 
read-only 
append="dom0_mem=32768” 


After Xen has been installed and configured, you are now ready to 
boot in to Xen and start your first virtual machine. 
After rebooting and starting your Xen installation, which resembles a 


normal Linux startup, log in to DomainO. That is the most-privileged 
domain in a Xen system. 

From here, users can create virtual machines that will run guest operat- 
ing systems, and start and stop virtual machines. 

To create a new virtual machine, you need to define a configuration 
file for it. Xen comes with two default configuration files in the /etc/xen 
directory named xmexample1/ amd xmexample2/. The configuration files 
contain many parameters, but fortunately, many of them are optional. 
You need only a few configured parameters to get your virtual machine 
running. Some important parameters include: 


@ Kernel: which kernel to boot. 

@ Root: the root filesystem. 

@ Disk: on which disk partition the system is installed. 

@ Memory: define how much memory the virtual machine should use. 
A sample configuration file may look like this: 

kernel = ‘/boot/vmlinuz-2.6.12.6-xen’ 

disk = [ ‘phy:hdal,hdal,w’ ] 

root = ‘/dev/hdal ro’ 


memory = 128 


After declaring a configuration file for the virtual machine, you can 
boot up the machine by typing the following: 


bash# xm create -c /root/myOSconf vmid=1 


where myOsconf is the name of the configuration file. 

After this, a new window will pop up, and you will see a normal 
Linux startup until you reach the login screen, and from there you can 
enjoy your new guest OS. 


Conclusion 

Xen is mature, open-source virtualization software that creates many new 
opportunities for organizations in reducing their total cost of ownership 
and providing more dependable and high-availability applications. 
Commodity x86-based systems provide all of this, with a minimum cost of 
porting an operating system to Xen. 

The developers of Xen have tested Xen against other popular 
virtualization solutions, such as VMware Workstation and user-mode 
Linux. In all tests conducted, Xen out-performed the other approaches— 
in standard benchmark tests, such as Spec Int200, Spec Web99, 
dbench and many more. The results were published in a research 
paper, available at www.cl.cam.ac.uk/Research/SRG/netos/papers/ 
2003-xensosp.pdf.m 


Irfan Habib has been an open-source enthusiast for five years. He has great interest in distributed computing 
technologies, in which he does full-time research, and he loves to explore new solutions to common problems 
in computing. Comments can be sent to him at irfan.habib@gmail.com. 
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Embedded Java with GCJ 


You don't always need a Java Virtual Machine to run Java in an embedded system. GENE SALLY 


This article discusses how to use GCJ, part of the GCC compiler 
suite, in an embedded Linux project. Like all tools, GCJ has benefits, 
namely the ability to code in a high-level language like Java, and its 
share of drawbacks as well. The notion of getting GCJ running on a 
embedded target may be daunting at first, but you'll see that doing so 
requires less effort than you may think. 

After reading the article, you should be inspired to try this out on a 
target to see whether GCJ can fit into your next project. The Java lan- 
guage has all sorts of nifty features, like automatic garbage collection, 
an extensive, robust run-time library and expressive object-oriented 
constructs that help you quickly develop reliable code. 


Why Use GCJ in the First Place? 

The native code compiler for Java does what is says: compiles your Java 
source down to the machine code for the target. This means you 
won't have to get a JVM (ava Virtual Machine) on your target. When 
you run the program's code, it won't start a VM, it will simply load and 
run like any other program. This doesn’t necessarily mean your code 
will run faster. Sometimes you get better performance numbers for 
byte code running on a hot-spot VM versus GCJ-compiled code. 

One advantage of using GCJ is that you save space by not needing 
the JVM. You may save money in royalties as well. Furthermore, using 
GCJ lets you deliver a solution using all open-source software, and 
that’s usually a good thing. 


Pitfalls 

The first thing embedded engineers reach for when creating a root 
filesystem for a target is trusty uClibc, a compact implementation of 
the glibc library. For those new to using Linux on an embedded target, 
the standard C library can be a bit on the large side when working 
with targets that may have only 8MB (for example) for a root filesys- 
tem. To conserve space on an embedded system’s root filesystem, engi- 
neers will switch from the standard C library to something smaller, like 
uClibc. GCJ requires unicode support, which is not supported by 
uClibc, so glibc is a requirement. 

The standard library for GCJ weighs in at 16MB, so even if you 
could conserve space by switching to a smaller standard C library, it 
wouldn't make that much difference overall. The standard GC) library 
can be trimmed by removing support for executing Java byte code, but 
the loss of that feature would reduce the overall value of GCJ. 


The Host and Target Configuration 
Because this article is about using GCJ in an embedded environment, it 
shows you how to build a cross compiler and a simple root filesystem for 


Crosstool is the creation of Dan Kegel. You can find out everything you want to know about crosstool by visiting 
kegel.com/crosstool. The page has a great quick start guide as well as complete documentation. This article used version 


0.38 available at kegel.com/crosstool/crosstool-0.38.tar.gz. 


On the crosstool home page, check out the buildlogs link (kegel.com/crosstool/crosstool-0.38/buildlogs) to see what 
combinations of glibc/gcc successfully build for your target architecture. 
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Getting and Unpacking Crosstool 


the target system. For those new to embedded development, a cross 
compiler builds code that runs on a processor different from the machine 
where the compilation occurred. The machine that runs the compiler is 
called the host and the one where the code runs is called the target. 

In this article, the target system is a PPC 745/755-based system 
running at 350M#z. This particular board comes wrapped in a translu- 
cent case with a monitor and hard drive and is otherwise known as an 
iMac. Okay, this is hardly a prime example of an embedded system, but 
it does present some of the same challenges you'll encounter with a 
true embedded system. The things you learn here should apply well to 
embedded systems using other processors. 

The host system is a run-of-the-mill IBM ThinkPad notebook run- 
ning a Pentium Ill processor. Yellow Dog Linux is already running on 
the host system, but with a little sleight of hand, we'll make it use the 
root filesystem created in the article for testing. 


Getting GCJ Ready 

First, we need a cross compiler that runs on our Pentium machine that 
creates code for a PowerPC 750-based processor. Building a cross compiler 
for a target system can be a very tedious process; a working com- 

piler is more than GCC, it also contains some extra tools (affectionately 
named binutils) and the standard libraries for the language. 

To get a cross compiler up and running quickly, try using the 
crosstool package, compliments of Dan Kegel. Crosstool does all of 
the hard work necessary to get a cross compiler built: it fetches the 
source and patches, applies the patches, configures the packages and 
kicks off the build. After obtaining and unpacking crosstool, here are 
the steps for building your GCJ cross compiler: 


export TARBALLS_DIR=~/crosstool-download 

export RESULT_TOP=/opt/crosstool 

export GCC_LANGUAGES="c,c++, Java” 

eval “cat powerpc-750.dat gcc-4.0.1-glibc-2.2.2.dat’ sh.all --notest 


AAA 


While waiting for the compilation to finish, let's take a look at what 
we just did to start our crosstool build. TARBALLS_DIR is the location 
where crosstool downloads its files. Crosstool fetches all of the files it 
needs for a build by default. RESULT_TOP is the installation directory of 
the cross compiler. Lastly, GCC_LANGUAGES controls which language 
front ends will be enabled for the compiler. GCC supports many 
different language front ends and each front end adds a considerable 
amount of time to the compilation process, so only the necessary ones 
were selected for this toolchain build. 

The last line, for those lacking their bash script-foo license, dumps 


the two dat files on the command line and executes the all.sh script 
with the parameter --notest. To make building a cross compiler easy, 
crosstool includes configuration files with the correct environment vari- 
ables set for the target processor and the gcc/glibc combination. In this 
case, crosstool builds a gcc 4.0.1 with glibc 2.2.2 targeting a PPC 750 
processor. Crosstool includes scripts for all major processor architec- 
tures and glib/gcc combinations. 

When the build finishes, the cross compiler will be installed at 
$RESULT_TOP/gcc-4.0.1-glibc-2.2.2/powerpc-750-linux-gnu/bin. Add 
this to your path to make invoking the cross compiler easier. 


Configuring the Root Filesystem 

The first thing to compile with your newly minted cross compiler is the 
root filesystem. The root filesystem, in this case, is compliments of 
BusyBox. For the uninitiated, BusyBox is a single binary that encapsu- 
lates mini versions of the most popular UNIX utilities in a surpassingly 
small executable. Built for people that count bytes, BusyBox has hun- 
dreds of knobs to turn to create a filesystem with the utilities you need 
within your desired space constraints. For the purpose of this article, 
we change the BusyBox configuration so that it cross compiles, leaving 
size optimization as an exercise for the reader. 

BusyBox is a mainstay of the embedded Linux world and is main- 
tained by Erik Anderson. One way to get BusyBox is to download it 
at www.busybox.net/downloads/busybox-1.01.tar.bz2. 

To create a BusyBox root filesystem, you need to invoke make 
menuconf ig in the directory where BusyBox was untarred. The menuconfig 
program works just like the 2.4/2.6 menuconfig kernel configuration 
interface. Here’s what you'll need to do to build the root filesystem. 

First, select the build options. Check the Do you want to build 
BusyBox with a Cross Compiler? box. Fill in the prefix of the cross com- 
piler in the input control that appears when you click this option, in 
this case, powerpc-750-linux-gnu-. The BusyBox build scripts concate- 
nate the necessary tool name during compilation (gcc, Id and so on). 
Make sure that the compiler is on your $PATH. 

Next, run make and install: 


make 
make install 


BusyBox puts the newly minted root filesystem at ./_install. You'll 
notice that BusyBox compiles in much less time than GCC. 


Populating the Root Filesystem with Libraries 
Almost there! The root filesystem BusyBox creates does not contain 
any libraries. GCJ programs require some libraries and so does 
BusyBox, shown in Table 1. 

These libraries match those used by the cross compiler. In this 
case, the files are stored in the $RESULT_TOP/gcc-4.0.1-glibc-2.2.2/ 
powerpc-750-linux-gnu/powerpc-750-linux-gnu/lib (not a typo!) directory. 
The easiest way to get them into the root filesystem is simply to copy them: 


for f in ld.so.1 lib libdl.so.2 libgec_s.so.1libgcej.so.6 
™>libm.so.6 Libpthread.so.@ ; do 


cp 

$RESULT_TOP/gcc-4.0.1-glibc-2.2.2/powerpc-750-1linux-gnu/ 
powerpc-750-Linux-gnu/lib/$f 

<busybox install directory>/lib 


$RESULT_TOP/gcc-4.0.1-glibc-2.2.2/powerpc-750-1linux-gnu/bin/power 
pc-750-linux-gnu-strip <busybox install directory>/lib/$f 


done 


Table 1. Libraries Required by GCJ and BusyBox 


Library File Function 


ld.so.1 Dynamically linked file loader. Invoked when the program 
is run, loads required libraries and performs dynamic linking. 


libdl.so.2 Helper functions for manipulating dynamic libraries. 
libgcc_s.so.1 Defines interfaces for handling exceptions. 
libgcj.so.6 The GCJ run-time library. Contains implementations 


of the standard Java library. 
libm.so.6 Library of math functions. 


libpthread.so.0 | POSIX threads library. 


You also need to create a folder in the root filesystem, /proc, to use 
as a mountpoint for the proc filesystem. Keen eyes will notice that I’m 
not preserving the symlinks used to accommodate different versions of 
the libraries—that’s a shortcut typical in embedded systems where 
library configuration won't change over the life of the device, unlike a 
desktop system. Running strip greatly reduces the amount of disk 
space required by the files, almost by 50%. 

At this point, the root filesystem can be copied to the target system 
into the /tmp/bbox directory. To tell the system to use this as the root 
filesystem, start a terminal as root and execute the chroot command: 


chroot /tmp/bbox /bin/ash 
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This command remaps the / mountpoint into /tmp/busybox and 
runs /bin/ash to get a terminal. Did it work? Congratulations! 
You've created a complete root filesystem for an embedded system 
from scratch. Pat yourself on the back. 

GCJ also needs the proc filesystem mounted. After the chroot, you 
need to remount the proc filesystem into the current root filesystem by 
doing the following: 


mkdir /proc 
mount -t proc none /proc 


Although this root filesystem resides on a standard drive, the root 
filesystem deployed on a production embedded system wouldn't be 
much different. The only changes necessary would be creating inittab, 
so the board will run the right scripts at the start and add a /dev 
filesystem with the right device files for the target board. 


GCJ Development 

After building the cross compiler and root filesystem, building 
your GCJ application will be a bit anticlimactic. We'll start with 
the traditional hello world: 


Class hello { 
Static public void main(String argc[]) { 
System.out.printIn(“hello from GCJ”); 
} 
} 
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Following Java convention, this class resides in the hello.class file. 
To compile the file, enter: 


powerpc-750-linux-gnu-gcj hello.class --main=hello -o hello-java 


What's going on with --main=hello? Any class could define a 
method with a suitable entry point. The --main=hello option tells the 
linker to use the main method in the hello class when linking. Leaving 
off this option results in a link error, “undefined reference to 
main”, which, to the uninitiated, is confusing, because your class 
contains a main. 

Download this file to the target and run it from the chrooted 
shell. You'll see: 


# ./java-test 
Hello from GCJ 


At this point, development carries on much like any other Java 
project, with the exception of invoking the GCJ cross compiler instead 
of the native javac compiler. 


Conserving Space 

In this example, the root filesystem weighs in at more than 20MB. 
Because many embedded systems use Flash memory, which is 
considerably more expensive on a per-megabyte basis than disk- 
based storage systems, a minimally sized root filesystem is 
frequently an important business requirement. One easy way to 
reduce the size of your root filesystem is to link 
your application statically. Although this may 
seem counterintuitive at first, as you'll have an 
extra copy of libc code in your application, recall 
that libgcj.so contains the entire Java standard 
library. Most applications use a fraction of the 
standard Java library, so using static linking is 

a great way to winnow out the unused code in 
the library. Just be sure to strip the resulting 
binary; otherwise, you'll be shocked at the size 
due to the amount of debugging information 
in libgcj.so. 


Wrapping Up 

From the article, you've seen that creating software 
for an embedded system using GCJ is something 
that can be reasonably accomplished using tools 
already present in the Open Source community. 
Although there are a few minor nits, configuring 
the root filesystem doesn't require a heroic effort; 
you just need to get a few different libraries from 
what you otherwise would need. For applications 
requiring a smaller root filesystem, we've seen 
how you can use static linking of your application 
to reduce the root filesystem greatly. In short, 
GCJ is a practical solution for using Java on a 
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resource-constrained embedded system—worthy 
of consideration for your next project.™ 


Gene Sally has been working with Linux in one form or another for 
the last ten years. These days, Gene focuses his attention on helping 
engineers use Linux on embedded targets. Feel free to contact Gene 
at gene.sally@gmail.com. 
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Is Linux Voice 
over IP Ready? 


A Voice over IP primer with special attention 
to using it on Linux. MACHTELT GARRELS 


What is Voice over IP really? What do you 
need for Voice over IP? What do you mean, | 
can't call my girlfriend? What's all that buzz 
about open and proprietary protocols? Can | 
start my own telecom service? This article 
addresses these questions and compares the 
most popular Linux applications for calling 
and conferencing. 


What Is Voice over IP about? 
Internet or digital telephony, or Voice over IP, 
often abbreviated as VoIP, allows parties 
to exchange voice data streams over the 
network. The big difference is that with 
VoIP the data flows over a general-purpose 
network, the Internet, whereas conventional 
telephony uses a dedicated network of 
voice transmission lines. 

Under special circumstances, a VoIP net- 
work can be connected with the conventional 
telephone network. However, at the time of 
this writing, that is certainly not the standard. 
In other words, it is likely you will not be able 
to call people who are using a conventional 
telephone. Although currently various applica- 
tions are available, both free and proprietary, 
telephony over the Internet has some major 
drawbacks. Most noticeably, the system is 
unreliable, it can be slow, or there can be a 
lot of noise on the connection. Therefore, it 
cannot be used to replace conventional 
telephony. Think about emergency calls, for 
instance. Although some providers take some 
precautions, there is no guarantee you will 
be able to reach the party you want to call. 
This is worsened, because in VoIP, there is 
no agreement yet on a standard for assigning 
numbers, like the E.164 standard we have for 
assigning and identifying traditional land lines 
and mobile phone numbers. 

Even if there is some form of integration 
between VoIP and conventional telephony 
networks, this is still different for mobile net- 
works. The major problem is that wireless 
network coverage is not as well developed as 
cellular network coverage. Additionally, there 
is the issue of costs when accessing the 
Internet from your mobile phone. For me, it 
would amount to 0.50 EUR (+/— $.60 US) per 
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100K of traffic. It is possible that integration 
of VoIP in the third-generation telephony net- 
work will ease these troubles. 

You also should be aware that there is no 
encryption in VoIP. So, it is fairly easy for any- 
one to eavesdrop on conversations. 

The bottom line is although VoIP is useful, 
it is not a replacement for land-line telephony 
(yet). 

Let's look at what you'll need to get VoIP 
up and running. 


On the Server Side 
First of all, you need a provider offering the 
service. Some popular providers offer the ser- 
vice for free, and some require a subscription 
fee. Among the free ones are the following: 
SIPphone, Skype, SIP Broker and Google. 

Most free services, however, do not allow 
you to connect with the conventional tele- 
phone network. This so-called full phone 
service is usually not free. Among the most 
popular full phone service providers are the 
following: Vonage, Lingo, AOL TotalTalk 
and SIPphone. 

These lists are certainly not exhaustive, as 
new local and global providers join the pool 
on a near-daily basis. Also, many SMEs are 
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Figure 1. A Typical VoIP Solution (image courtesy of 
BroadVoice) 


currently setting up a VoIP network for inter- 
nal use within companies. If you want to set 
up your own VoIP network, you might want 
to look into Asterisk server software or sipX, 
which are open-source PBX implementations. 

Alternatively, if you want to use only the 
soft phone, meaning the audio system of 
your computer (audio boxes and microphone 
or headset) and accompanying software, 
check out Ekiga, formerly GnomeMeeting, as 
announced January 8, 2006, in the 
GnomeMeeting blog. Although Ekiga sup- 
ports a range of hardware, it is usually set up 
to support (video) conferencing features 
implemented on the software level. Like sipX 
and Asterisk, it is open-source software. 

Note: PBX stands for Private Branch 
eXchange, the system that centralizes all of a 
business’ telephone sets. 


On the Client Side 

Depending on your network architecture, 
some applications might work better than 
others, due to the protocols they use. Most 
standards-based solutions use either the 
H.323 or Session Initiation Protocol (SIP). 
Apart from these two standards, there are a 
lot of proprietary protocols, such as Skype 
(from the company with the same name) 
and SCCP from Cisco. The main difference 
between them is that SIP stores the client IP 
address in its packages, resulting in difficulties 
when you are behind a firewall. 

Microsoft NetMeeting and 
GnomeMeeting use H.323; Microsoft's 
Messenger and Apple's iChat and SIPphone 
uses SIP. Server software usually implements 
several different protocols. 

Apart from your network architecture, avail- 
able bandwidth also might be a limiting factor, 
as some applications are optimized for low 
bandwidth, and others expect to be on a broad- 
band connection. This depends on the codecs 
the VoIP systems use for handling sound. 

As far as client hardware is concerned, 
use a headset. Although your PC, especially if 
it is a laptop, might have a microphone and 
speakers built in, you will be far more com- 
fortable using a headset, as it will suppress 
echo and noise from your environment. If you 
have the choice, opt for a USB headset. A 
USB headset is a separate audio device to 
your system. It functions independently from 
existing audio hardware, so it avoids any con- 
flicts that might occur between VoIP and nor- 
mal sound processing. 

If the applications you use provide the 
features, you can redirect audio streams as 
desired. For instance, you can make the ring 
tone for alerting you that you have a call 
come through the normal speakers. When 
you pick up the call, the voice of the calling 
party is redirected to your headset. 


Your Sound System 
Prior to experimenting with VoIP applications, you probably will have to 
use a bit of trial and error to find settings that are comfortable for you. 
Make sure that you can record and play a sample of your own voice 
before you start, as the VoIP programs also will use the recording func- 
tion of your hardware. Activate it in the volume control application 
that comes with your distribution. 

Linux generally has two types of sound architecture: the older 
Open Sound System or OSS, which works with every UNIX-like system, 
and the newer Advanced Linux Sound Architecture or ALSA, which has 
better support for Linux, as the name indicates. One application may 
support OSS and another, ALSA. When you have a choice, we advise 
you to select the use ALSA option in VoIP programs. Select ALSA or 
OSS settings for sound and recording levels accordingly in your distri- 
bution’s volume control panel. 

We tested four applications, based on popularity. We tested all of 
them on Fedora Linux. 


Ekiga, aka GnomeMeeting 

Installation: use the package manager from Fedora. Alternatively, 
download Debian, Mandrake or Red Hat packages. Ekiga requires the 
pwlib, OpenH323 and libavc1394 packages. 

Getting started—registration: the application shows up in the 
menus as Video Conferencing. We experienced GConf errors the first 
time we used it. The solution to that problem is described in the 
GnomeMeeting FAQ. Once we solved that problem, we could get 
started with the First Time Configuration Druid. 

You can register in the general GnomeMeeting users directory (a 
telephone book on a central server) or skip this step. My audio devices 
were recognized automatically, and it was easy to select the headset. 
You don't need to know the device names of your hardware. For 
beginning users, it is a great relief not having to worry about /dev/dsp1 
and those sorts of names. As shown in Figure 2, all applicable devices 
can be neatly selected from a list. 
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Figure 2. GnomeMeeting—Configuration 


Presumably, your machine needs to be configured as an LDAP client 
(Lightweight Directory Access Protocol, or Active Directory on MS 
Windows) in order to be able to contact the central GnomeMeeting direc- 
tory. Lacking that, you need to know the hostname or host IP address and 
user names of the people you want to call. If you don’t use LDAP, you will 
receive error messages when you try to call someone, even if you can 
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Figure 3. GnomeMeeting—Interface 


make a successful call. 

mopressions: at first there was quite some 
noise on the connection, even when calling 
another host in the same subnet, but we 
could minimize the noise by adjusting the 
audio volume. There is a mute button for sus- 
pending and resuming audio transmission. 
Luckily, the system with URLs to contact peo- 
ple is well documented in the help files. The 
application itself doesn’t make it easy to use. 


KPhone 
Download using your favorite system tool, 
such as Synaptics on Ubuntu. 

Installation: the package manager does 
the installation for you. You also can down- 
load RPM packages and install them using 
your distribution’s tools. After the installation 
is finished, the KPhone selection turns up in 
the application menus. 

Getting started: your own address is dis- 
played in the little KPhone window, which 
makes it easy to exchange with other users. It 
also serves as an example for connecting with 
other users. 

The phone book in this application is 
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Figure 4. KPhone—Minimalistic Interface 
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Figure 5. KPhone—Accepting a Call 


easy to use. In the most basic case, simply 
let others call you, and received and 
missed caller IDs will show up in the phone 
book automatically. 

Impressions: KPhone has a very sober 
interface, which makes it easy to use and 
configure the program. 

At one time, | obviously must have 
configured the wrong audio device while 
trying to configure KPhone to use my USB 
headset instead of the built-in speakers 
and microphone on my laptop. There is no 
list from which to choose audio devices; 
this was rather frustrating. KPhone also 
segfaulted on me a couple of times, even 
after it had worked fine earlier. | could not 
get my USB headset to work. Admittedly, 
| did not use the latest version. Newer ver- 
sions, which need to be compiled from 
source on many systems, at the time of 
this writing, are reported to work better 
and have much improved sound quality. 
KPhone has matured a lot in the newest 
releases and probably will become even 
more popular than it is already as binary 
packages are made available. 


Skype 

Download from the Skype site (see the 
on-line Resources); packages are available 
for SUSE, Fedora, Mandriva and Debian. 

Installation: | opened the downloaded file 
directly in the system installer. It shows up in 
the Internet menu in GNOME after the instal- 
lation is finished. 

Getting started—registration: register 
from inside the client. Choose a user name 
and password. Enter your e-mail address if 
you want to be reminded of your password 
later on. In the contact list, select or search 
for the person whom you want to call. You 
can ask permission to be notified when that 
person is on-line. 
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Figure 6. Skype—Connection Established 


Impressions: Skype is easy to search by 
name, city and country. When you start it up, 
you will see a list of missed calls and contacts 
that are currently on-line, which is quite handy. 

Skype can be configured to use PC speak- 
ers for incoming call alerts and a headset for 
actual communication. 

In the call list, contacts can be displayed 
by name, or you can sort by incoming, out- 
going and failed calls. 

On the downside, the application does not 
seem to be very clean. After a while, | could 
not log in anymore, and it turned out that five 
instances of Skype had been running simulta- 
neously on my computer, even though | used 
the buttons and menus to quit Skype. Also, it 
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Figure 7. Skype—Contact List 
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Figure 8. Skype—Call List 


does not seem to be very stable on Linux. | 
had what appeared to be remote sound prob- 
lems, but the problem was local and could be 
solved by stopping and starting Skype. 


X-Lite 
Download from the CounterPath Web site 
(see Resources). 

Installation: extract the archive to a folder 
in your home directory; the default name is 
xten-lite. In this folder, you will find the exe- 
cutable file, xtensoftphone. 

Getting started—registration: right-click 
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Figure 9. X-Lite Controls 
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Figure 10. X-Lite during a Call 


on the soft-phone image that 
appears at startup. This starts the 
Audio Tuning Wizard, which 
allows you to select audio devices. 
Select /dev/dsp1 when using a 
headset. Adjust the speaker vol- 
ume and voice recording volume 
according to your needs. 

You can register at 
support.xten.net to join the 
CounterPath community, or your 
system administrator might have 
set up a private service. | used the 
X-Lite interface for testing with the 
Asterisk service at work. In both 
cases, you need to provide a login 
name and password, which you 
get either from the CounterPath 
registration on the Web site or 
from your administrator. 

Impressions: X-Lite is the only 
application on this list that actually 
tries to look like a cell phone. You 
can select a codec according to 
your needs. For instance, choose 
the GSM codec for low-band- 
width usage or when you are in 
a conference call. Select the 
g711a or g711u codec when 


Table 1. Comparison 


GnomeMeeting 


Maintainer(s) Damien Sandras 


Licence GPL 
Platforms GNOME, KDE 
Protocol nk S25}, SHIP 
Behind firewall/proxy yes 


PC-to-phone calls possible 


Video conferencing 
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Rating from 1-10 9 


you are in a one-on-one call, and band- 
width is not really an issue. 


Comparison 

In Table 1, several aspects of the four applica- 
tions are compared. For readability, features 
are restricted to those affecting telephone 
capabilities. All applications have many more 
features. | list only those that are different 
among applications. 


Conclusion 

Overall, the experience was quite positive. 
Although the open-source programs 
KPhone and GnomeMeeting are somewhat 
more difficult to use, because you need to 
know about URLs and such, it is easier to 
get documentation on exactly what you 
need and to get that documentation 
directly from the makers of the program, 
instead of having to be satisfied with a 
general help page and some vague com- 
plaints or tips from users. 

For Skype and X-Lite, you need to con- 
nect to a server. The nice thing about 
GnomeMeeting and KPhone is that you can 
use them directly from client to client, even 
if you do not register on a server, be it one 
that you set up on your own network or an 


Wirlab Research Center 
GPL 
Linux (Qt) 
SIP 
possible 
no 


limited 


KPhone Skype 


proprietary freeware 


proprietary 


possible 


non-free 


no 


i 


external one. Maybe | am a bit paranoid, 
but | don’t trust Skype. The company says 
that its service will remain free, but it says 
nothing about its software. As it uses a 
proprietary, poorly documented protocol, 
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| worry about vendor lock-in. For the time 
being, I'll stick with GnomeMeeting. Why? 
It worked from my first attempt, it is stable, 
it does everything it promises to do, and it’s 
Belgian, like me.m 
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Manipulating the Networking 
Environment Using RTNETLINK 


How to use RTNETLINK to develop applications that control networking. ASANGA UDUGAMA 


NETLINK is a facility in the Linux operating system for user-space 
applications to communicate with the kernel. NETLINK is an extension 
of the standard socket implementation. Using NETLINK, an application 
can send/receive information to/from different kernel features, such as 
networking, to check current status and control them. 

In this article, | describe how a programmer can use the networking 
environment manipulation capability of NETLINK known as RTNETLINK. 
| discuss some areas of use of RTNETLINK, the relevant socket opera- 
tions, the functionality, how RTNETLINK messages are formed and 
finally, provide a set of sample code that uses RTNETLINK. RTNETLINK 
for the IP version 4 environment is referred to as NETLINK_ROUTE, and 
for the IP version 6 environment, it is referred to as NETLINK_ROUTE6. 
The explanations given here are applicable for both IP versions 4 and 6. 

Developers of network layer protocol handlers can use RTNETLINK to 
modify and monitor different components of networking, such as the 
routing table and network interfaces. There are many existing and 
upcoming protocol standards at the Internet Engineering Task Force 
(IETF) that can be implemented in user space. These implementations will 
require manipulating the routing and knowing what is being modified by 
other processes. Some of these protocol categories are as follows: 


® Dynamic routing protocols: protocols of this category, including the 
Routing Information Protocol (RIP), Open Shortest Path First (OSPF) 
and Exterior Gateway Protocol (EGP) actively manage the routing 
environment of a host while communicating with other equally 
capable hosts or routers in the network or Internet. 


® Mobility protocols: hosts that are mobile and connect to different net- 
works at different times use protocols such as Mobile IP (MIP), Session 
Initiation Protocol (SIP) and Network Mobility (NEMO) to manage rout- 
ing to maintain connectivity and continuity of communications. 


® Ad hoc networking protocols: hosts that are mobile and located in 
places where there is no networking infrastructure, such as routers 
and WLAN access points, require peer-to-peer communications with 
differently configured hosts. Mobile computers of rescue workers in 
an earthquake-struck area or other such emergencies can use ad 
hoc networking protocols. These protocols, such as the Ad hoc On- 
demand Distance Vector (AODV) and Optimized Link State Routing 
(OLSR), require managing the routing to find and communicate with 
other hosts using neighboring hosts as routers and gateways. 


It helps reduce the complexity of the kernel code if you implement 
these protocols in user space. Further, it simplifies the development 
and testing of these protocols because of the availability of many user- 
space development tools. Problems, such as kernel crashes, that are 
likely with kernel-based code when testing or when used by end users 
will not occur in a user-space protocol handler. 


Socket Operations 
The socket implementation of Linux allows two end points to commu- 
nicate. The socket API provides a standard set of functions and data 
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structures. With RTNETLINK, the two end points in communication are 
user space and kernel space. The following sequence of socket calls 
have to be made when manipulating the networking environment 
through RTNETLINK: 


1. Open socket. 

2. Bind socket to local address (using process ID). 
3. Send message to the other end point. 

4. Receive message from the other end point. 

5. Close socket. 


The socket() function opens an unattached end point to communi- 
cate with the kernel. The function prototype of this call is as follows: 


int socket(int domain, int type, int protocol); 


The domain refers to what type of socket is being used. For RTNETLINK, 
we use AF_NETLINK (PF_NETLINK). type refers to the type of protocol used 
when communicating. This can be raw (SOCK_RAW) or datagram 
(SOCK_DGRAM). This is not relevant for RTNETLINK sockets and either can 
be used. protocol refers to the exact NETLINK capability that we use; in our 
case, it is NETLINK_ROUTE. This function returns an integer with a positive 
number called the socket descriptor, if the socket opening was successful. 
This descriptor will be used in all the future RTNETLINK calls until the socket 
is Closed. If there was a failure, a negative value is returned, and the system 
error variable errno included in errno.h is set to the appropriate error code. 

The following is an example of a call to open an RTNETLINK socket: 


int fds 
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ ROUTE); 

Once the socket is opened, it has to be bound to a local address. 
The user application can use a unique 32-bit ID to identify the local 


address. The function prototype of bind is as follows: 


int bind(int fd, struct sockaddr *my_addr, 
socklen_t addrlen) ; 


To bind, the caller must provide a local address using the 
sockaddr_nl structure. This structure in the linux/netlink.h #include 
file has the following format: 


struct sockaddr_nl 


{ 


sa_family_t nl_family; // AF_NETLINK 
unsigned short nl_pad; if Zero 
_ 32 nl_pid; // process pid 


_u32 nl_groups; // multicast grps mask 


The nl_pid must contain a unique ID, which can be created using 
the return of the getpid() function. This function returns the process ID 
of the current user process that opened the RTNETLINK socket. But, if 
our process consists of multiple threads with each thread opening dif- 
ferent RTNETLINK sockets, a modified process ID can be used. 

Once this structure is filled, the binding can be done. The bind 
function returns zero if the operation succeeded. A negative number is 
returned in the case of failure, and the system error variable is set. The 
following is an example of calling bind: 


struct sockaddr_nl la; 


bzero(&la, sizeof(la)); 

la.nl_family = AF_NETLINK; 

la.nl_pad = Q; 

la.nl_pid = getpid(); 

la.nl_groups = 0; 

rtn = bind(fd, (struct sockaddr*) &la, sizeof(la)); 


If the operation you require is multicast-based, you must set 
nl_groups to join the multicast group associated with the required 
RTNETLINK operation. For example, if you want to be notified of the 
changes to the routing table by other processes, you must OR (|) the 
RTMGRP_IPV4_ROUTE and RTMGRP_NOTIFY. 

Sending routing RTNETLINK messages to the kernel is done 
through the use of the standard sendmsg() function of the socket 
interface. The following is the prototype of this function: 


ssize_t sendmsg(int fd, const struct msghdr *msg, 
int flags); 


msg is a pointer to a msghdr structure. The following is the format 
of this structure: 


struct msghdr 

{ 
void *msg_name; 
socklen_t msg_namelen; 


//Address to send to 
//Length of address data 


//Vector of data to send 
//Number of jovec entries 


struct iovec *msg_iov; 
size_t msg_iovlen; 


//Ancillary data 
//Ancillary data buf len 


void *msg_control; 
size_t msg _controllen; 


int msg flags; //Flags on received msg 


The msg_name is a pointer to a variable of the type struct sockaddr_nl. 


This is the destination address of the sendmsg() function. Because 
this message is directed to the kernel, all variables of sockaddr_nl will 
be initialized to zero, except the nl_family member variable. The field 
msg_namelen should contain the size of a struct sockaddr_nl. 

msg_iov should contain a pointer to a struct iovec, which is filled 
with the RTNETLINK message relevant to the request being made. The 
caller is allowed to place multiple RTNETLINK requests, if required. 
msg_iovlen points to the number of struct iovec structures that were 
placed in msg_iov. The rest of the variables are initialized to zero. 

To receive RTNETLINK messages, the recv() function is used. Here is 
the prototype of this function: 


ssize_t recv(int fd, void *but, size_t len, 
int flags); 


The second and third variables are a pointer to a buffer to place the 
bytes read and the length of this buffer, respectively. For RTNETLINK, the 
buffer will contain a set of RTNETLINK messages that have to be read 
one after the other using a set of macros provided in the netlink.h and 
rtnetlink.h #include files. flags is a set of flags to indicate how the receive 
should be performed. For RTNETLINK, this simply can be initialized to zero. 

Once the socket communications are complete, the socket has to be 
closed using the close() function. Here’s the prototype of this function: 


int close(int fd); 


RTNETLINK Functionality 
A programmer who develops applications that use RTNETLINK must 
include the following #include files at a minimum: 


#include <bits/sockaddr.h> 
#include <asm/types.h> 
#include <linux/rtnetlink.h> 
#include <sys/socket.h> 


These files contain the different definitions, such as data types and 
structures, required to make RTNETLINK calls. Here is a short explana- 
tion of what is defined in these files relevant to RTNETLINK: 


™ bits/sockaddr.h: provides the definitions for the addresses used by 
socket functions. 


™ asm/types.h: provides the definitions of the data types used in the 
header files related to NETLINK and RTNETLINK. 


@ linux/rtnetlink.h: provides the macros and data structures that are 
used in RTNETLINK. Because RTNETLINK is based on NETLINK, this 
also includes the linux/netlink.h. netlink.h defines the general macros 
and structures that are used in all the NETLINK-based capabilities. 


™ sys/socket.h: provides the function prototypes and the different data 
structures related to the socket implementation. 


The operations that can be invoked using RTNETLINK are defined in 
the rtnetlink.h file. Each of the operations provides three possibilities of 
manipulation: add/update, delete or query. These three possibilities are 
identified by NEW, DEL and GET. Following are the manipulation opera- 
tions allowed by RTNETLINK. 

General networking environment manipulation services: 


@ Link layer interface settings: identified by RTM_NEWLINK, 
RTM_DELLINK and RTM_GETLINK. 


™ Network layer (IP) interface settings: RTIM_NEWADDR, 
RTM_DELADDR and RTM_GETADDR. 


® Network layer routing tables: RIM_NEWROUTE, RTM_DELROUTE 
and RTM_GETROUTE. 


™ Neighbor cache that associates network layer and link layer address- 
ing: RTM_NEWNEIGH, RTM_DELNEIGH and RTM_GETNEIGH. 


Traffic shaping (management) services: 


™ Routing rules to direct network layer packets: RTM_NEWRULE, 
RTM_DELRULE and RTM_GETRULE. 


™ Queuing discipline settings associated with network interfaces: 
RTM_NEWQDISC, RTM_DELQDISC and RTM_GETQDISC. 


™@ Traffic classes used together with queues: RTM_NEWTCLASS, 
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RTM_DELTCLASS and RTM_GETTCLASS. 


@ Traffic filters associated with a queuing: RTM_NEWTFILTER, 
RTM_DELTFILTER and RTM_GETTFILTER. 


Forming and Reading RTNETLINK Messages 
RTNETLINK employs a request-response mechanism to send and receive 
information to manipulate the networking environment. A request or a 
response of RTNETLINK consists of a stream of message structures. 
These structures are filled by the caller, in the case of a request, or 
filled by the kernel, in the case of a response. To place information into 
these structures or to retrieve information, RTNETLINK provides a set of 
macros (using #define statements). Every request must contain the fol- 
lowing structure at the beginning: 


struct nlmsghdr 
{ 
__u32  nlmsg_len; //Length of msg incl. hdr 
__ul6é nimsg_type; //Message content 
__ul6 nimsg flags; //Additional flags 
__u32  nlmsg_seq; //Sequence number 
__u32 nimsg_pid; //Sending process PID 


This structure provides information about what type of RTNETLINK 
message is specified in the rest of the request. It is also called the 
NETLINK header. Here is a brief explanation of these fields: 


® nimsg_len: should contain the length of the whole RTNETLINK mes- 
sage, including the length of the nlmsghdr structure. This field can 
be filled using the macro NLMSG_ALIGN(len), where len is the 
length of the message that follows this structure. 


@ nimsg_type: a 16-bit flag to indicate what is contained in the mes- 
sage, such as RTM_NEWROUTE. 


@ nimsg_flags: another 16-bit flag that further clarifies the operation 
specified in nlmsg_type, such as NLM_F_REQUEST. 


® nilmsg_seq and nlmsg_pid: these two fields are used to identify an 
RTNETLINK request uniquely. The caller can place the process ID and 
a sequence number in these fields. 


Following the nlmsghdr structure are the structures relevant to the 
operation being requested. Depending on the type of RTNETLINK oper- 
ation, the caller must include one or more of the following structures. 
These are called the RTNETLINK operation headers: 


®@ struct rtmsg: retrieving or modifying entries of the routing table 
requires the use of this structure. 


®@ struct rtnexthop: a next hop in a routing entry is the next host to con- 
sider on the way to the destination. A single routing entry can have 
multiple next hops. Each next hop entry has many types of attributes, 
such as the network interface in addition to the next hop IP address. 


@ struct rta_cacheinfo: each route entry consists of status information 
that the kernel updates regularly, mainly usage information. Using 
this structure, a user can retrieve this information. 


®@ struct ifaddrmsg: retrieving or modifying network layer attributes 
associated with a network interface requires the use of this structure. 


@ struct ifa_cacheinfo: similar to a route entry, a network interface 
also consists of information about its status, which is updated by 
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the kernel. This structure is used to retrieve this information. 


™ struct ndmsg: retrieving or modifying the association information 
between link layer addressing and network layer addressing of 
neighbors, referred to as neighbor discovery, is specified through 
this structure. 


™® struct nda_cacheinfo: holds the kernel updated information related 
to each neighbor discovery entry. 


®@ struct ifinfomsg: retrieving or modifying the link layer attributes 
related to a network interface requires the use of this structure. 


™ struct tcmsg: retrieving or modifying traffic shaping attributes is 
supplied using this structure. 


Following the RTNETLINK operation header are the attributes relat- 
ed to the operation, such as an interface number and IP address. These 
attributes are specified using the struct rtattr. There is one structure for 
each attribute. This structure has the following format: 


struct: rtattr 

{ 
unsigned short 
unsigned short 


rta_len; 
rta_type; 
} 


Immediately following this structure is the value of the attribute. An 
attribute such as an IP version 4 address will occupy a 4-byte area. The 
variable rta_len should contain the size of this structure plus the size of 
the attribute. rta_type should contain the value identifying the attribute, 
which are given in the enumerations defined in rtnetlink.h. enum 
rtattr_type_t and other enumerations provide the attribute identifiers, 
such as IFA_LADDRESS and NDA_DST, to be used in this field. The 
maximum number of attributes that you can attach is up to only the 
macro RTATTR_MAX. An example of attaching an attribute is as follows: 


rtap->rta_type = RTA_DST; 
rtap->rta_len = sizeof(struct rtattr) + 4; 
inet_pton(AF_INET, dsts, 

((char *)rtap) + sizeof(struct rtattr)); 


Information that is received from an RTNETLINK socket is again a 
stream of structures. A programmer has to identify and extract informa- 
tion by moving a pointer along this byte stream. To simplify this process, 
RTNETLINK provides a set of macros to make the buffer positioning easier: 


™ NLMSG_NEXT(nlh, len): returns the pointer to the next NETLINK header. 
nlh is the header returned previously, and len is the total length of the 
message. This will be called in a loop to read every message. 


® NLMSG_DATA\(nIh): returns the pointer to the RTNETLINK header related 
to the requested operation given the NETLINK header. If a route entry 
is being manipulated, this will return a pointer to a struct rtmsg. 


@ RTM_RTA\(r), IFA_RTA(r), NDA_RTA(r), IFLA_RTA(r) and TCA_RTA\(r): 
return a pointer to the start of the attributes of the respective 
RTNETLINK operation given the header of the RTNETLINK message (r). 


® RTM_PAYLOAD(n), IFA_PAYLOAD(n), NDA_PAYLOAD(n), 
IFLA_PAYLOAD(n) and TCA_PAYLOAD(n): return the total length 
of the attributes that follow the RTNETLINK operation header 
given the pointer to the NETLINK header (n). 


@ RTA_NEXT(rta, attrlen): returns a pointer to the start of the next 
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attribute given the last returned attribute (rta) and the remaining 
size (attrlen) of the attributes. 


Considering a simple example where an RTNETLINK request to retrieve 
the routing table was sent, the reply is processed in the following manner: 


char *buf; // ptr to RTNETLINK data 
int nll; // byte length of all data 
struct nlmsghdr *nlp; 

struct. rtmsg *rtp; 

IMe. res, 

struct rtattr *rtap; 


nlp = (struct nlmsghdr *) buf; 
for(;NLMSG _OK(n1lp, nll); nlp=NLMSG_NEXT(nlp, nll)) 
{ 


// get RTNETLINK message header 
rtp = (struct rtmsg *) NLMSG DATA(nlp); 


// get start of attributes 
rtap = (struct rtattr *) RIM_RTA(rtp); 


// get length of attributes 
rtl = RTM_PAYLOAD (nlp) 


// loop & get every attribute 
for(;RTA_OK(rtap, rtl); rtap=RTA_NEXT(rtap, rtl)) 
{ 


// check and process every attribute 


} 


RTNETLINK Sample Walk-Through 
The sample code presented here focuses on three of the operations 
that can be performed on the routing table: 


® get_routing_table: reads the main routing table in the system. 
® set_routing_table: inserts a new routing entry to the table. 
™ mon_routing_table: monitors the routing table changes. 


All three samples use a similar main() function that calls a set of 
subfunctions to form RTNETLINK messages and send, receive and process 
the received messages. To simplify the explanation, no error handling is 
considered. These samples perform on the IP version 4 environment of 
the system (AF_INET). Here is the main() function: 


int main(int argc, char *argv[]) 


{ 


// open socket 
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) ; 


// setup local address & bind using 

// this address 

bzero(&la, sizeof(la)); 

la.nl_family = AF_NETLINK; 

la.nl_pid = getpid(); 

bind(fd, (struct sockaddr*) &la, sizeof(la)); 
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// sub functions to create RTNETLINK message, 
// send over socket, receive reply & process 
// message 

form_request(); 

send_request(); 

recv_reply(); 

read_reply(); 


// close socket 
close(fd); 


Similar to the above function, the two functions that perform the 
socket communications are almost common to all the samples. These 
two functions simply send a formed message to the kernel and receive 
messages sent by the kernel. Exceptions here are the set_routing_table 
and mon_routing_table samples. In set_routing_table, a receive phase is 
not considered. In the mon_routing_table, a send phase is not present as 
it attempts to monitor only the state of the routing environment to see 
what is being changed. This information is mulitcast by the kernel to all 
the RTNETLINK sockets that are in the appropriate receiving state. 

First, here's the code for send_request(): 


void send_request() 

{ 
// create the remote address 
// to communicate 
bzero(&pa, sizeof (pa)); 
pa.nl_family = AF_NETLINK; 


// initialize & create the struct msghdr supplied 
// to the sendmsg() function 

bzero(&msg, sizeof(msg)); 

msg.msg name = (void *) &pa; 

msg.msg_namelen = sizeof(pa); 


// place the pointer & size of the RTNETLINK 
// message in the struct msghdr 

jov.iov_base = (void *) &req.nl; 

jiov.iov_len = req.nl.nlmsg_ len; 

msg.msg_ iov = &iov; 

msg.msg_iovlen = 1; 


// send the RTNETLINK message to kernel 
rtn = sendmsg(fd, &msg, 0); 
} 


And here’s the recv_reply(): 


void recv_reply() 


{ 


char *p; 


// initialize the socket read buffer 
bzero(buf, sizeof (buf)); 


p = buf; 


// read from the socket until the NLMSG_DONE is 
// returned in the type of the RTNETLINK message 
// or if it was a monitoring socket 

while(1) { 


rtn = recv(fd, p, sizeof(buf) - nll, 0); 


nlp = (struct nlmsghdr *) p; 


if(nlp->nlmsg_type == NLMSG_ DONE) 
break; 


// increment the buffer pointer to place 
// next message 
p += rin; 


// increment the total size by the size of 
// the last received message 
nll += rtn; 


if((la.nl_groups & RTMGRP_IPV4_ROUTE) 
== RTMGRP_IPV4_ROUTE) 
break; 


The above functions and the following ones use a set of globally 
defined variables. These are used for all the socket operations as well 
as for forming and processing RTNETLINK messages: 


// buffer to hold the RTNETLINK request 


struct { 

struct nlmsghdr nl; 

struct rtmsg is a 

char buf [8192]; 
} req; 


// variables used for 

// socket communications 
int fd; 

struct sockaddr_nl la; 
struct sockaddr_nl pa; 
struct msghdr msg; 
struct iovec iov; 

TAD tne 


// buffer to hold the RTNETLINK reply(ies) 
char buf[8192]; 


// RTNETLINK message pointers & lengths 
// used when processing messages 

struct nlmsghdr *nlp; 

Tne. nls 

struct. rtmsg. “rtp; 

THE ELS 

Struct, rtattr *rtap; 


The get_routing_table sample retrieves the main routing table of 
the IPv4 environment. The form_request() function is as follows: 


void form_request() 

{ 
#/ initialize the request buffer 
bzero(&req, sizeof(req)); 


// set the NETLINK header 
req.nl.nimsg_ len 

= NLMSG_LENGTH(sizeof(struct rtmsg)); 
req.nl.nlmsg flags = NLM_F_REQUEST | NLM_F_DUMP; 
req.nl.nlmsg_ type = RTM_GETROUTE; 


// set the routing message header 


req.rt.rtm_family = AF_INET; 
req.rt.rtm_table = RT_TABLE_MAIN; 


The received message for the RTNETLINK request in the buf variable 
to retrieve the routing table is processed by the read_reply() function. 
Here is the code of this function: 


void read_reply() 

{ 
// string to hold content of the route 
// table (i.e. one entry) 
char dsts[24], gws[24], ifs[16], ms[24]; 


// outer loop: loops thru all the NETLINK 

// headers that also include the route entry 

// header 

nip = (struct nlmsghdr *) buf; 

for(;NLMSG_OK(nlp, nl1);nlp=NLMSG_NEXT(nlp, nl1l)) 


// get route entry header 
rtp = (struct rtmsg *) NLMSG DATA(n1p); 


// we are only concerned about the 

// main route table 

if(rtp->rtm_table != RT_TABLE_MAIN) 
continue; 


// init all the strings 
bzero(dsts, sizeof(dsts)); 
bzero(gws, sizeof (gws)); 
bzero(ifs, sizeof(ifs)); 
bzero(ms, sizeof(ms)); 


// inner loop: loop thru all the attributes of 
// one route entry 
rtap = (struct rtattr *) RTM_RTA(rtp); 
rtl = RTM_PAYLOAD (nlp) ; 
for(;RTA_OK(rtap, rtl);rtap=RTA_NEXT(rtap,rtl)) 
{ 
switch(rtap->rta_type) 
{ 
// destination IPv4 address 
case RTA_DST: 
inet_ntop(AF_INET, RTA_DATA(rtap), 
dsts:, 24); 
break; 


// next hop IPv4 address 
case RTA_GATEWAY: 
inet_ntop(AF_INET, RTA_DATA(rtap), 
gws, 24); 
break; 


// unique ID associated with the network 
// interface 
case RTA_OIF: 
sprintf(ifs, “%d”, 
*((int *) RTA_DATA(rtap))); 
default: 
break; 


} 
sprintf(ms, “%d”, rtp->rtm_dst_len); 
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printf(“dst %s/%s gw %s if %s\n”, 
dsts, ms, gws, ifs); 


The set_routing_table sample sends an RTNETLINK request to insert an 
entry to the routing table. The route entry that is inserted is a host route 
(32-bit network prefix) to a private IP address (192.168.0.100) through 
interface number 2. These values are defined in the variables dsts (destina- 
tion IP address), ifcn (interface number) and pn (prefix length). You can run 
the get_routing_table sample to get an idea about the interface numbers 
and the IP network in your system. Here’s the form_request(): 


void form_request() 


{ 
// attributes of the route entry 


char dsts[24] = “192.168.0.100”; 
int ifcn = 2, pn = 32; 


// initialize RTNETLINK request buffer 
bzero(&req, sizeof(req)); 


// compute the initial length of the 
// service request 


rtl = sizeof(struct rtmsg); 


// add first attrib: 
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// set destination IP addr and increment the 
// RTNETLINK buffer size 
rtap = (struct rtattr *) req.buf; 
rtap->rta_type = RTA_DST; 
rtap->rta_len = sizeof(struct rtattr) + 4; 
jnet_pton(AF_INET, dsts, 

(Cchar’ *)rtap) + sizeof (struct. rtattr)); 
rtl += rtap->rta_len; 


// add second attrib: 
// set ifc index and increment the size 
rtap = (struct rtattr *) (((char *)rtap) 
+ rtap->rta_len); 
rtap->rta_type = RTA_OIF; 
rtap->rta_len = sizeof(struct rtattr) + 4; 
memcpy(((char *)rtap) + sizeof(struct rtattr), 
&ifcn, 4); 
rtl += rtap->rta_len; 


// setup the NETLINK header 

req.nl.nimsg len = NLMSG_LENGTH(rtl); 

req.nl.nlmsg flags = NLM_F_REQUEST | NLM _F_CREATE; 
req.nl.nilmsg type = RTM_NEWROUTE; 


// setup the service header (struct rtmsg) 
req.rt.rtm_family = AF_INET; 
req.rt.rtm_table = RT_TABLE MAIN; 
req.rt.rtm_protocol = RTPROT_STATIC; 
req.rt.rtm_scope = RT_SCOPE_UNIVERSE; 
req.rt.rtm_type = RTN_UNICAST; 

// set the network prefix size 
req.rt.rtm_dst_len = pn; 


The mon_routing_table sample reads the RTNETLINK messages 
received when other processes change the system's main routing table. 
This function will use the same read_reply() function to process the mes- 
sages. The main() function requires a slight change. Because this operation 
involves listening to multicast messages of the kernel, the local address to 
which we bind, it also must include the two flags RTMGRP_IPV4_ROUTE 
and RTMGRP_NOTIFY. Here is the required change: 


la.nl_groups = RTMGRP_IPV4_ROUTE | RTMGRP_NOTIFY: 


Once mon_routing_table is executed, run a route add ora route 
del command from another shell prompt to see the results. 


Conclusion 
RTNETLINK is a simple, yet versatile way of manipulating the network- 
ing environment of a Linux host. User-space network protocol handlers 
are ideal candidates for using RTNETLINK. The advanced IP routing 
command suite, referred to as IPROUTEZ2, is based on RTNETLINK. More 
information about the different operations and flags of RTNETLINK can 
be found at NETLINK(7) and RTNETLINK(7). 

The sample code for this article is available at ftp.ssc.com/pub/lj/ 
listings/issue145/8498.tgz. 
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Top Ten Tips for 


Getting Started with PHP 


Here are ten tips that will help you avoid some of the most 
common pitfalls when coding Web applications in PHP. MARCO FIORETTI 


There is little doubt that PHP is one of the easiest languages to use to 
start generating dynamic Web content. PHP, in combination with Linux, 
Apache and MySQL is so popular, it has spawned the expression LAMP 
(Linux, Apache, MySQL and PHP). Many pages go on-line without any need 
for their authors to set up or program anything themselves. They simply find 
some pre-cooked piece of code with a search engine, paste it as is into an 
HTML template, upload everything to their Web server, and they are done. 
Or so they believe. Even previous programming experience may 
not help much, because coding for a desktop or for the Web are 
two very different paradigms. Therefore, pretty often, when people 


cut and paste PHP code, nothing happens (nothing good, at least). 
The pages load very slowly or worse, the programmer's choice of 
PHP code opens a new security hole. 

The tips below are written especially for users who already know 
the basics of programming, but who have never touched PHP before. 
They might be roughly divided in three categories: how to start cor- 
rectly, how not to hurt yourself and, finally, how to make their code 
more efficient. Due to space constraints and the fact that there already 
is plenty of good on-line and paper documentation for PHP, most tips 
explain only what to look for and why. 


Check Whether Everything Was 

Installed and Configured Correctly 
One common source of confusion for PHP beginners is to upload their 
first Web page on some server and see only the PHP/HTML source code 
in the browser instead of the expected content. This happens because 
the Web server doesn’t recognize the file as something that should be 
passed to the PHP interpreter. The reason for this is that the system 
administrator forgot to associate the PHP file with the PHP interpreter. 
You can do this in the Apache configuration file or in a local .htaccess 
file. Here is a sample configuration line: 


AddType application/x-httpd-php .php3 .php 


As a matter of fact, it is possible to know how things stand simply by 
uploading this really short page to your Web space: 


<HTML> 

<HEAD> 

<TITLE>PHP Configuration Check</TITLE> 
</HEAD> 

<BODY><? php phpinfo() ?> 

</BODY> 

</HTML> 


With any luck, the result will be similar to what is shown in Figure 1. 
The phpinfo() function prints out how PHP was compiled and the value 
of all configuration variables. This function gives you a lot of useful infor- 
mation. Its output probably will be the very first thing you'll be asked for 
whenever you seek support on an on-line PHP forum. 


Let PHP and the Script 

Tell You about Your Errors 
In order to speed up debugging, you can tell both PHP and the Apache 
Web server which errors must be reported and when. The error_reporting 
variable in the php.ini configuration file can be seen as a series of (bit) 
flags. Each of them can be set individually to detect (or not) a specific 
category of errors. This instruction, for example: 


error_reporting = E_ALL 


PHP Configuration Check - Morilla Firefox 


file Ede View Go Bookmarks Tools Help 


e- - (2) a tipfocalhosy-tesv/php_config check.php |¥| eGo |GL 
Brest 
Configuration 
PHP Core 


o } | 
Done 


Figure 1. Sample PHP Information Generated by the phpinfo() Function 


sends anything from simple warnings to serious bugs to the browser, 
but only if the other variable display_errors is turned on. General PHP 
settings in the php.ini file can be overridden at the Web server level. 
When using Apache, the instruction equivalent to the one above 
would be (in httpd.conf): 


php_flag display_errors on 
php_value error_reporting 2047 


Should you have no access to the PHP/Web server configuration, 
as often happens, the same result can be accomplished by adding 
this command to your scripts: 


error_reporting(E_ALL) ; 


Speaking of Web servers, remember also to check their error logs to 
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know exactly which line of code caused a script to crash. 

If a script still fails after all these tricks have ceased to find any error, 
almost surely the bug is in the script logic itself. Somewhere, some variable 
is assigned a value that you thought not possible for it, and this confuses 
the rest of the code. This also applies when the variable is actually some 
SQL statement built on the fly and passed to a database server. 

The solution is to display that variable on your browser. You can do 
this easily with the print() instruction normally used to send HTML code 
to the browser. The die() statement does the same thing as print(), but it 
also stops the script immediately afterward. 


3 Headers before Anything Else! 

You can generate and transmit any kind of HTTP header before even 
starting to build the actual Web page. However, you must remember 
that header() has to be called before any HTML code or PHP output, 
including blank or empty lines! Code like this, for example: 


<?php /* any PHP command(s) here */ ?> 
<?php header(“Content-type: image/png”); ?> 


will not work. The mere presence of the empty line between the two 
encoded PHP statements will cause PHP to transmit standard HTTP 
headers, which almost always will not be what you wanted (otherwise 
you would not have used that function). Note that the blank line may 
even be...in another file. That is, the same thing will happen if you 
load PHP code from some external file that doesn’t end exactly with 
the closing ?> PHP tag. 

This is a frequent cause of headaches for programmers who build 
sites that use cookies. The only way to make cookies work is to handle 
them before your PHP program sends header information. If you don’t 
realize that a simple blank line sends header information, you can stare 
at your code for hours wondering why you are having problems with 
cookies. After all, you do handle cookies before you deliberately send the 
header. What you don’t necessarily notice is that there’s a blank line in 
your program (or included file) that is sending headers without your 
knowledge, which is why your cookies don’t work. 


Always Check User Data 

(and Beware of E-mail Addresses) 
You should always validate data that your pages receive from the 
Web. JavaScript routines that validate form input on the user browser 
are useless security-wise. Nothing prevents a cracker from sending 
malicious data directly to your code. Imagine a PHP shopping cart 
that can show all the items below the $HIGHEST_PRICE decided by 
the user. If, without previous checks, you merrily performed a 
database query with a $HIGHEST_PRICE whose value is something 
like “delete * from my_database;", don’t complain when your on-line 
store looks empty! 

You can validate data using a combination of three techniques. The first 
is to analyze the data with regular expressions that explicitly define only the 
formats that are allowed; a phone number or year of birth, for example, can 
contain only digits, so pass it through the function is_digit(). 

The second is to use other functions like EscapeShellCmd(), which 
can block “data” from executing unwanted system commands, or 
mysql_escape_string() on variables that must be inserted into an 
SQL statement. 

The last type of validation strictly depends on the actual meaning 
of a variable and the context in which it is used. Only you can help 
yourself here. For example, 5555555 is made only of digits, but (in North 
America) it is not a valid phone number. It should be allowed only if 
the user declared to be from another country. Similarly, although 18 
is a perfectly valid $AGE, a script offering discounts to senior citizens 
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should refuse it, right? 

E-mail addresses are particularly troublesome from this point of view. 
There are several functions that validate their syntactical correctness, 
like the one at www.zend.com/tips/tips.php?id=224&single=1. 
They do nothing, however, to guarantee that an address does 
belong to the person who sent it, or that it exists at all, such as 
Luke.Skywalker@whitehouse.gov. Well, it's probably a safe assump- 
tion that there is no Luke.Skywalker in the White House, anyway. 
Always ask users to reply to a confirmation message or open a 
socket to their mail server to check whether they exist. 


5 Properly Manage Quotes and Escapes 
What will appear in your browser if you load this very simple PHP code? 


<?php 

$HOME = ‘a sweet place’ 

print “1: $HOME<br>”; // double quotes 
print ‘2: $HOME<br>’; // single quotes 
?> 


The answer is these two lines of text: 


1: a sweet place 
2: $HOME 


Double quotes make PHP replace any variable inside them with its cur- 
rent value. The content of single quotes is treated like one monolithic, 
opaque block that can be copied or printed only, not modified. The same 
applies when you use quotes to build the keys of an associative array. 
$my_array[" $HOME"] and $my_array[”$HOME"] will be different ele- 
ments. That's it. Still, it is very easy to forget this distinction and use one 
when you meant the other, or no quote at all. Therefore, when something 
doesn’t have the value you expected, check the quotes first. 

Because user data cannot be trusted, PHP can be set up to escape 
with slashes automatically with all the $_POST sent by an HTML form to 
the script. Actually, even internal data could contain slashes, to escape 
special characters, which must be removed before processing them. The 
solution is to use the stripslashes function, as in this example straight 
from the on-line PHP manual: 


<?php 

$str = “Is your name O\’reilly?”; 
// Outputs: Is your name O’reilly? 
echo stripslashes($str) 

?> 


Let the Database Do the Work 

Instead of Your Script 
As stated above, PHP is used together with MySQL so often that the 
LAMP acronym is one of the most well-known combinations in Web 
design. Consequently, one of the best ways to write faster PHP scripts is 
to learn MySQL well enough that it works as much as possible instead of 
PHP. These two snippets of code illustrate the concept: 


<?php //find all the books that Asimov wrote after 1980 
$sql = “select YEAR, BOOK from MY_BOOKSHELF where AUTHOR 
LIKE ‘Asimov’ 
if ($sql_res = mysql_query(“$sql”)) { 
while ($r = mysql_fetch_array($sql_res)) { 
if ($r[YEAR] > 1980) {// print the book title ;} 


And: 


<?php //find with MySql all the books that Asimov wrote 
after 1980 
$sql = “select BOOK from MY_BOOKSHELF where AUTHOR LIKE 
=> ’Asimov’ AND YEAR > 1980;”; 
if ($sql_res = mysql_query(“$sql”)) { 
while ($r = mysql_fetch_array($sql_res)) { 
f/f just print all the returned titles ; 


The second version will run much faster than the first, because 
database engines are designed to select as quickly as possible all and 
only the data matching any combination of criteria. They'll always be 
much faster than PHP is in this kind of task. Therefore, make sure that as 
much as possible of your selection logic is inside the SQL query, not in 
the PHP code that builds and uses it. Of course, this whole tip applies 
as is to any other database engine you would use with PHP. 


7 Write Portable File Management Code 
Line endings in text files are encoded differently on each family of 
operating systems. Binary files, such as images or compressed 
archives, are much worse, in the sense that even one corrupted 
character can make the whole file useless. Practically speaking, this 
means it is up to you to write code that will manage file contents in 
the same way on any platform you might use. This remains true 
even if you are sure that you and your Web server will always and 
only run GNU/Linux. Otherwise, you could find no error in your 
image or text processing code until you use it to upload a file from 
the Windows or Apple computer of a friend! 

As far as PHP is concerned, the solution is to make proper use of the 
t (text mode translation) and b (binary) flags of the fopen() system call. 
The gory details are at www.php.net/function.fopen. Note that the 
page explicitly suggests: “for portability, it is also strongly recommended 
that you re-write code that uses or relies upon the t mode.” 


S Know String Processing Functions 

Web pages still are mostly made of text, and the same is true for many 
databases. This is why optimizing text analysis and processing is one of 
the easiest ways to make all of your scripts run faster. Regular expres- 
sions are made to order for such jobs, but they look like hieroglyphics 
and may not even always be the optimal solution. PHP, although not 
going to the same extremes (uh, we mean power and flexibility of Perl), 
has more than one function working just like regular expressions, 
only much quicker. We refer to str_replace(), strcmp(), strtolower(), 
strtoupper(), strtr(), substr(), trim(), ucfirst() and several others. Take some 
time to study them in the manual, it will be well worth it. 


9 Keep Layout and Programming Separate 

A sure way to make the source of any Web site unreadable and difficult 
to update is to interlace large chunks of PHP and HTML code, even if 
each piece of PHP is used only once in the page, as in this example: 


myfile.php> 
<!— lots of HTML code for static header, logo, menus...> 
<?php lots of PHP code generating a list of the latest news ?> 
<!— lots of HTML code for the central part of the page...> 
<?php lots of PHP code creating a per-user list of the 

most popular pages ?> 
<!— lots of HTML code for the user feedback form...> 


Instead of making this error, encapsulate every piece of PHP code in 
one or more functions, then put them all in one separate file (without 
any HTML code), which will be loaded with the include_once command. 
The result will be much cleaner and easier to maintain: 


myfile.php> 

<?php include_once (“common_code.php”); ?> 

<!-— lots of HTML code for the static page header, logo, 
menus...> 
<?php show_latest_news (); /* only one function call */ ?> 

<!-— lots of HTML code for the central part of the page...> 

<?php show_most_popular_pages (); /* only one function call */ ?> 
<!— lots of HTML code for the user feedback form...> 


Anther big advantage of this approach is that, by simply including 
common_code.php as shown above, any page of your Web site will be 
able to use those same functions. Even more important, should any func- 
tion be modified, the new version would be available immediately in all 
the pages. 


1 Check the Results of 

Function and System Calls 
Last but not least, a// PHP functions must return acceptable data to the 
code that called them. The tricky part of this apparently superfluous 
statement is the fact that the meaning of acceptable depends on the 
whole script, and it may be different at any time. Here is a very dumb, 
but effective example of what we mean: 


function subtraction($A, $B) { 
$diff = $A - $B; 
return($diff) ; 


$C 1/subtraction(3, 3); 
$D = 1/(1 - subtraction(3,3); 


// ERROR! Division by Zero! 


Although calculating $C will make the script crash, calculating (with 
the same operands), $D will not. The point is that before doing anything 
with a variable, you should check that it has an acceptable value. In the 
example above, this would mean assigning the subtraction result to an 
auxiliary variable and proceeding with the division only if it is non-null. 

It is even more important to check return values from system calls, 
that is, the built-in functions provided to allow interaction with external 
processes and files. Should you forget to check a return value, data could 
be thrown away without anyone noticing, as in this example: 


<?php 
S$HANDLE = fopen(“newuser.txt”,”w”)); // open a file 


fwrite($HANDLE, “New User Data”); // write to it 
?> 


If fopen fails (because, for example, the disc is full or you had no per- 
mission to write) the New User Data is lost for good. Before writing, 
check that $HANDLE is not null: 


<?php 

if (!$HANDLE = fopen(“newuser.txt”,”w”)) { die “File 
access failed: newuser.txt”; } 

fwrite($HANDLE, “New User Data”); 

?> 


Happy PHP coding! m™ 


Marco Fioretti is a hardware systems engineer interested in free software both as an EDA platform and, as 
the current leader of the RULE Project, as an efficient desktop. Marco lives with his family in Rome, Italy. 
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The 64-Bit Question 


Linux is blowing its opportunity to be the best AMD64 platform for all needs. 


Nick Petreley, Editor in Chief 


| haven't upgraded my main workstation in 
years, So it is about time for a change. I’ve 
heard nothing but great things about the 
AMD64 processor, so that’s the route | take. 

| decide to shop for a lower-speed dual- 
core AMD64 processor instead of a high- 
speed single-core processor. | want dual-core, 
because I’m not looking for the ultimate 
gaming machine. | want a good “lets me 
compile, burn a DVD, and maybe do two or 
three other things at the same time and still 
have a very responsive desktop” machine. | 
find that | can put together a decent dual- 
core AMD64 box with a PCI Express x16 
NVIDIA display card, two huge SATA drives 
and 4GB of RAM for a surprisingly reasonable 
price. | get most of my stuff on-line from 
www.newegg.com, which has some pretty 
good deals. 

A few days later, most of my stuff arrives. 
It takes about a day to tinker together the 
new computer between editing sessions on 
the old one. With the exception of a couple 
of dumb mistakes, everything comes together, 
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and the new computer is running fine. 

My SATA DVD drive hasn't arrived yet. 
| use my old IDE DVD drive to install the 
AMD64 version of Kubuntu. This turns out 
to be an accidental lucky break, as you'll 
see in a moment. 

| upgrade Kubuntu AMD64 to use the 
K8-SMP version of the kernel in order to take 
advantage of my dual-core processor. Big 
mistake. The SMP kernel crashes. A lot. | 
check the forums, and it crashes a lot for 
many Kubuntu/Ubuntu users. Kubuntu 
released an updated version of the kernel, 
but it still crashes, just not as often. 

So | compile my own 2.6.15.4 version of 
the kernel. It doesn’t support the graphical 
boot screen, and it reports some meaningless 
errors. | don’t care. My version of the kernel 
is stable and it supports all my hardware. 

My SATA DVD drive arrives. | remove 
my IDE drive and install the SATA drive. My 
Linux kernel can't recognize the drive. 
Why? Because there is a kernel driver 
parameter called atapi_enabled that needs 
to be set to 1 in order for the kernel to 
recognize the DVD/CD drive. | modify the 
source code to change the default and 
recompile. That works. (You don’t have to 
modify the source, but it’s beyond the 
scope of this rant to explain why | chose 
that method over the alternatives.) 

Then | attempt to install the AMD64 
version of Debian. Thanks to the default 
atapi_enabled=0 in the Debian kernel on the 
DVD, the installation program can’t find the 
DVD/CD drive in order to install the software. 
can’t find any way to change the parameter 
to 1. | read that the kernel boot option 
ibata.atapi_enabled=1 should work, but 
it doesn’t. So | can’t install Debian AMD64 
(or probably any other distribution) unless 
put an additional IDE DVD/CD drive in the 
machine. That's nuts. 

Then | run Firefox under Kubuntu. The 
atest official Kubuntu version is 1.07. | want 


to use 1.5 or later, and there is no AMD64 
version available. So | compile one myself. 
That's fine, but no AMD64 version of Firefox 
can run Flash because there is no 64-bit ver- 
sion of Flash. There is an AMD64 version of 
Java, but it doesn’t include a plugin library, so 
| can’t run AMD64 Java from this browser, 
either. The Ubuntu forums explain how to 
get 32-bit Firefox working with Flash and 
Java without having to chroot to a 32-bit 
environment, but those instructions don’t 
work for me. | eventually track the problem 
down to another kernel configuration option. 

| suppose | can avoid all these problems 
by running i386 versions of Linux on this 
machine. | suppose | could also have avoided 
all these problems if | had researched existing 
support for AMD64 and chose not to go 
with an AMD64 chip. But | didn’t think | 
had to research AMD64 support. The AMD64 
is practically an old chip now by modern 
standards. There are lots of notebook 
computers that use a version of the AMD64, 
so don't tell me it’s a server-only chip. 

Granted some of the problems are 
external to Linux, such as the lack of an 
AMD64 Java plugin library and lack of 
AMD64 Flash plugin. But there’s no excuse 
for Linux being unable to recognize a 
SATA DVD/CD drive, no matter what chip 
you're using. And since Ubuntu shows that 
it is possible with customization, there's no 
excuse for any AMD64 distribution failing 
to let you run 32-bit Firefox with plugins 
right out of the box. 

The 64-bit version of Windows is still 
struggling. So there is still a window of 
opportunity for Linux to be the first, best 
AMD64 desktop platform. It’s high time 
distro developers (and third parties) got off 
their arses to help make this possible.m 


Nicholas Petreley is Editor in Chief of Linux Journal and a former 
programmer, teacher, analyst and consultant who has been 
working with and writing about Linux for more than ten years. 
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